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Abstract 

We  present  a  logic  for  analyzing  cryptographic  proto¬ 
cols.  This  logic  is  based  on  a  unification  of  four  of 
its  predecessors  in  the  BAN  family  of  logics,  namely 
those  given  in  [GNY90],  [AT91],  [v093b],  and  BAN  it¬ 
self  [BAN89].  The  logic  herein  captures  the  desirable 
features  of  its  predecessors  and  more;  nonetheless,  as 
a  logic  it  is  relatively  simple  and  simple  to  use.  We 
also  present  a  model-theoretic  semantics,  and  we  prove 
soundness  for  the  logic  with  respect  to  that  semantics. 
We  illustrate  the  logic  by  applying  it  to  the  Needham- 
Schroeder  protocol,  revealing  that  BAN  analysis  of  it 
may  lead  to  inappropriate  conclusions  in  some  settings. 
We  also  use  the  logic  to  analyze  two  key  agreement  pro¬ 
tocols,  examining  an  attack  on  one  of  them. 

Introduction 

In  the  late  eighties  Burrows,  Abadi,  and  Needham  de¬ 
veloped  BAN  logic  [BAN89],  which  quickly  became  the 
most  widely  used  and  widely  discussed  formal  method 
for  the  analysis  of  identification/authentication  proto¬ 
cols,  particularly  authenticated  key  distribution  proto¬ 
cols.  There  have  since  been  a  number  of  papers  not¬ 
ing  BAN’s  inability  or  limited  ability  to  reason  about 
some  features  of  both  protocols  and  attacks  on  pro¬ 
tocols.  This  has  led  several  authors  to  propose  alter¬ 
natives  to  BAN.  Many  of  these  proposed  alternatives 
are  essentially  extensions.  These  extensions  yield  an 
increase  in  reasoning  power;  however,  collectively  they 
accomplished  this  via  a  large  number  of  linguistic  and 
logical  additions.  As  a  result,  one  may  be  left  unsure 
about  the  assumptions  and  meanings  implicit  in  the  ap¬ 
plication  of  these  logics.  Perhaps  more  significantly,  one 
becomes  increasingly  unsure  about  the  soundness  of  the 
reasoning  that  results.  Relatedly,  the  simplicity  that 
was  part  of  BAN’s  basic  appeal  is  lost. 

‘Parts  of  this  paper  appeared  in  prelimary  form  in  [v093]  and 
[Sv094], 
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This  paper  presents  a  logic  that  encompasses  three  of 
these  logical  expansions,  those  presented  in  [GNY90], 
[AT91] ,  and  [v093b] .  (Henceforth  these  logics  will  be  re¬ 
ferred  to  as  ‘GNY’,  ‘AT’,  and  ‘VO’,  respectively.)  And, 
since  these  are  essentially  expansions,  this  logic  encom¬ 
passes  BAN  itself  as  well.  GNY  and  AT  add  to  and  re¬ 
formulate  BAN  to  better  reason  about  the  same  class  of 
protocols.  VO  adds  rules  to  reason  about  key- agreement 
protocols.  Our  logic  captures  the  desirable  features  of 
those  logics.  However,  rather  than  simply  tacking  to¬ 
gether  the  notation  and  rules  from  all  of  these  we  adopt 
an  integrated  approach,  designed  to  yield  a  logic  that  is 
sound  with  respect  to  a  single,  relatively  simple  model 
of  computation.  Thus,  this  paper  also  presents  a  seman¬ 
tics  underlying  these  logical  expansions.1  This  will  be  of 
manifold  advantage.  First,  some  of  these  logics,  includ¬ 
ing  BAN  itself,  have  been  questioned  before  for  lacking 
an  independently  motivated  semantic  foundation.  (Cf., 
e.g.,  [Syv91].)  Amongst  other  things,  such  a  foundation 
can  give  us  assurance  that  the  reasoning  in  the  logic  is 
sound  (i.e.,  false  conclusions  cannot  be  derived  from  true 
premises.)  BAN  was  essentially  given  such  a  semantic 
foundation  by  Abadi  and  Tuttle  in  [AT91].  The  model 
of  computation  and  semantics  herein  is  motivated  by 
Abadi  and  Tuttle’s  but  differs  from  it  in  fundamental 
ways.  Second,  having  a  fairly  detailed  model  eliminates 
much  of  the  confusion  that  can  arise  over  the  meaning 
of  formal  expressions  and/or  the  applicability  of  logi¬ 
cal  rules.  That  is,  since  we  can  look  at  the  semantic 
interpretation  of  an  expression,  we  can  make  better  de¬ 
cisions  about  whether  that  expression  really  says  what 
we  intend  to  say  in  a  given  circumstance.  This  helps 
in  the  protocol  idealization  step  of  a  BAN  or  BAN-like 
analysis.  (Analysis  in  this  paper  does  not  include  ideal¬ 
ization  per  se.  More  on  this  at  the  appropriate  point.) 
Third,  by  serving  as  a  common  semantics,  it  allows  us  to 

1We  refer  here  to  a  model  theoretic  semantics  for  a  logic.  This 
is  not  to  be  confused  with  a  semantics  for  computer  programs, 
which  is  generally  any  mathematical  interpretation  (formal  or  in¬ 
formal)  of  programming  constructs. 
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view  the  extensions  from  a  single  perspective.  Contrary 
to  first  appearances,  this  need  not  result  in  an  overly 
complex  logic.  For,  as  a  unifying  model  for  comparison, 
it  allows  us  to  see  what  aspects  of  each  logic  can  be 
captured  by  others  and  what  not.  There  is  thus  a  fair 
amount  of  syntactic  reduction  since  primitives  of  one 
language  are  often  definable  in  another.  On  the  logical 
level  there  is  a  similar  amount  of  axiom  chopping.  The 
result  is  a  logic  that  is  surprisingly  simple. 

In  the  next  section  of  the  paper  we  present  a  formal  lan¬ 
guage  and  logic,  and  we  describe  the  procedure  whereby 
these  are  to  be  applied  in  protocol  analysis.  (Henceforth 
this  logic  will  be  called  ‘SVO’.)  In  §2,  we  give  a  basic 
description  how  to  analyze  protocols  using  the  logic. 
We  then  analyze  the  well  known  Needham-Schroeder 
Protocol,  henceforth  ‘NS’,  as  an  example  [NS78].  This 
analysis  demonstrates  our  analysis  technique.  It  also  al¬ 
lows  us  to  compare  our  approach  to  that  in  [BAN89],  in 
particular  to  examine  a  new  observation,  a  misleading 
result  that  can  be  derived  by  using  BAN  analysis  on  the 
NS  protocol.  This  highlights  some  of  the  advantages  of 
SVO.  In  §3  we  present  a  model  of  computation  and  a  se¬ 
mantics  for  the  language  presented  in  §1,  and  we  prove 
that  the  logic  is  sound  with  respect  to  the  semantics. 
In  §4  we  apply  SVO  to  two  key  agreement  protocols, 
one  from  [MTI86]  labelled  ‘A(0)\  and  the  STS  protocol 
from  [l)vOW92j.  We  derive  that  the  protocols  satisfy 
certain  desirable  goals  and  examine  a  potential  attack 
on  A(0).  Finally,  we  present  our  conclusions  and  some 
directions  for  future  work  in  §5. 

The  appendices  give  our  arguments  that  SVO  captures 
the  expressive  and  deductive  powers  of  GNY  and  VO. 
In  appendix  A  we  look  at  the  language  and  logic  of 
GNY  in  comparison  to  SVO.  In  appendix  B  we  look  at 
the  language  and  logic  of  VO  in  comparison  to  SVO.  In 
particular  we  consider  in  these  sections  how  to  capture 
in  SVO  the  linguistic  expressibility  and  logical  derivabil- 
ity  of  GNY  and  VO.  In  so  doing  we  also  give  definitions 
in  SVO  of  useful  expressions  from  the  languages  of  those 
logics.  We  do  not  present  a  separate  section  for  compar¬ 
ative  discussions  of  AT.  AT  is  the  only  previously  given 
logic  with  a  model-theoretic  semantics.  Comparisons 
between  AT  and  SVO  syntax  require  a  semantic  con¬ 
text  as  well,  and,  in  the  interest  of  brevity,  we  will  not 
give  a  presentation  of  the  full  Abadi-Tuttle  semantics. 
We  therefore  make  comparative  comments  at  appropri¬ 
ate  points  throughout  §§  1  and  3.  (The  rules  and  axioms 
of  AT,  GNY,  and  VO  are  summarized  in  appendices  C 
E  for  handy  reference.) 


1  Syntax 

We  will  now  present  a  logic  capturing  the  desirable  prop¬ 
erties  of  BAN,  AT,  GNY,  and  VO  that  is  both  sound 
and  relatively  easy  to  use.  Our  presentation  follows  the 
structure  of  [AT91],  with  some  important  differences. 

1.1  The  Language 

We  begin  with  a  definition  of  our  language.  Follow¬ 
ing  Abadi  and  Tuttle,  we  reflect  that  we  are  looking  at 
abstract  protocols  and  are  hence  representing  the  send¬ 
ing  of  messages  composed  of  expressions  in  a  language 
rather  than  mere  bitstrings.  However,  we  expand  the 
language  slightly  to  cover,  e.g.,  public  keys,  functions, 
and  message  comprehensibility.  We  also  contract  the 
language  by  doing  away  with  separate  syntax  for  for¬ 
warded  messages  and  for  binding  messages  to  shared 
secrets.  (The  first  is  eliminated  because  we  have  no 
current  use  for  it.  The  second  is  eliminated  because 
its  contributions  are  captured  in  our  language  by  other 
means.) 

We  assume  the  existence  of  a  set  of  primitive  terms,  T, 
containing  a  number  of  sets  of  constant  symbols  rep¬ 
resenting  principals,  shared  keys,  public  keys,  private 
keys,  numerical  constants,  etc.  We  also  include  a  set 
of  symbols,  {*i,*2,---}  to  represent  unrecognized  re¬ 
ceived  messages  (or  message  fragments).  We  actually 
require  two  formal  languages,  one  for  messages  and  one 
for  formulae.  Only  formulae  can  be  true  or  false  or  have 
a  principal’s  belief  attributed  to  them.  On  the  other 
hand,  some  messages  are  not  formulae,  e.g.,  a  message 
consisting  of  a  name  and  a  nonce.  In  particular,  no  term 
is  a  formula,  and  vice  versa.  References  to  the  language 
of  SVO  are  meant  to  encompass  both  languages. 

Messages  and  formulae  of  the  language  are  built  from  T 
by  mutual  induction.  The  language  of  messages,  Mr , 
is  the  smallest  language  over  T  satisfying: 

•  X  is  a  message  if  X  e  T, 

•  F(X i , . . . ,  Xn)  is  a  message  if  A'i . . . . ,  X„  are  mes¬ 
sages  and  F  is  any  function  (including,  e.g.,  or¬ 
dered  n-tuples,  (Vi, . . . , Xn),  encryptions,  {V}#, 
and  signed  messages  [V]x), 

•  ip  is  a  message  if  ip  is  a  formula. 

The  language  of  formulae,  is  the  smallest  language 
satisfying: 

•  P  &  Q,  PK0(P,/i),  PI< a(P,K),  and  PK S(P,K) 
are  formulae  when  P  and  Q  are  principals  and  K 
is  a  key. 
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•  SV(X,K,Y)  is  a  formula  when  X  and  Y  are  mes¬ 
sages  and  K  is  a  key. 

•  P  sees  X ,  P  received  X .  P  says  X ,  P  said  X,  and 
fresh(X)  are  formulae  when  X  is  a  message  and  P 
is  a  principal, 

•  -up  (not-y)  and  ip  A  p  (<p  and  p)  are  formulae  if  ip 
and  p  are  formulae  (other  connectives  are  definable 
in  the  usual  manner)2, 

•  P  believes  p  and  P  controls  p  are  formulae  when  p 
is  a  formula  and  P  is  a  principal. 

Most  of  the  expressions  just  given  either  are  standard 
usage  in  BAN  and  its  derivatives  or  should  be  intu¬ 
itively  clear.  We  give  a  brief  intuitive  description  here 
for  those  that  may  not  be.  ‘P  controls  p’  indicates  that 
P  is  a  trusted  authority  on  p.  If  P  says  p,  then  p 
is  so.  lP  Q’  indicates  that  K  is  a  symmetric  key 
shared  exclusively  by  P  and  Q.  No  one  other  than  P 
or  Q  will  ever  encrypt  messages  using  K,  and  only  P, 
Q,  and  those  they  trust  (e.g.,  a  server  who  might  gener¬ 
ate  it)  know  K.  !PK( P.  K )'  is  used  similarly  for  public 
keys.  K  is  P’s  public  key,  and  ‘A'-1’  is  used  exclusively 
to  refer  to  the  corresponding  private  key.  !PK,  (/’,  /\' )', 
‘PKct(P,  A')’,  and  ‘PK<s {P,  A')’  are  for  encryption,  signa¬ 
ture,  and  key  agreement  keys,  respectively.  Keys  them¬ 
selves  may  or  may  not  have  subscripts.3  Typically,  keys 
and  nonces  have  mnemonic  subscripts,  e.g.,  A  B. 
‘SV(X,K,Y)’  refers  to  signature  verification.  It  says 
that,  given  signed  message  X,  applying  K  to  it  as  a  sig¬ 
nature  verification  key  verifies  Y  as  the  message  signed 
with  the  corresponding  private  key.  The  meaning  in  our 
semantics  of  all  expressions  will  be  discussed  below  in 
§3.2. 

A  few  more  notes  on  notation:  Typically  ‘{X}#’  is 
meant  to  refer  to  transformations  of  X  using  K.  We 
mean  specifically  to  include  shared  and  public  key  en¬ 
cryption  under  this  notation.  We  find  the  following  no¬ 
tation  useful  for  giving  a  uniform  presentation  of  the 
axioms.  K  is  the  complement  of  key  K .  In  public  key 
ciphering  schemes,  A'-1  is  the  complement  of  I\,  and 
K  is  the  complement  of  A'-1.  In  shared  key  schemes 

2We  will  use  ‘D’  (pronounced  “horseshoe”)  rather  than  p 
to  represent  the  conditional  to  avoid  confusion  with  the  stan¬ 
dard  notation  for  sending  a  message  in  protocol  description,  e.g., 
‘A  — I  B\  (In  our  primitive  notation,  ip  D  ip  is  of  course  V  tp 
[Men87].) 

3In  [BAN89],  the  public  key  and  shared  key  notations  for  indi¬ 
cating  key  appropriateness  were  more  similar.  We  have  followed 
the  notational  conventions  of  [GS91]  and  [v093b].  In  the  presence 
of  three  types  of  public  keys,  we  find  this  to  be  the  best  compro¬ 
mise  between  familiarity  and  readibility.  Further  issues  that  lead 
to  this  choice  of  public  key  notation  are  discussed  in  appendix  B. 


K  =  K.  Unless  restricted,  either  explicitly  or  implic¬ 
itly  by  context,  LK’  will  refer  below  to  any  symmetric, 
private,  or  public  key.  We  can  always  treat  encryption 
and  decryption  as  functions  parameterized  by  the  rele¬ 
vant  key.  Thus,  we  can  generalize  this  notation  to  ‘A’, 
expressing  the  complement  of  a  function  F.  This  nota¬ 
tion  assumes  that  we  are  referring  to  an  effectively  one- 
one  (injective)  function,  that  is,  a  function  such  that 
it  is  computationally  difficult  to  find  pairs  of  arguments 
mapping  to  the  same  value,  whether  or  not  that  value  is 
given.  It  does  not  assume  that  either  the  function  or  its 
complement  (inverse)  is  feasibly  computable  in  practice. 

Some  previous  BAN  logics  have  used  expressions  such 
as  ‘{X}a'’  to  represent  digital  signatures  as  well  as  en¬ 
cryptions.  If  one  uses  simple  RSA  exponentiation  with 
a  private  key  for  signatures,  then  it  is  possible  to  treat  a 
digital  signature  as  simply  the  inverse  of  public  key  enci¬ 
phering.  Thus,  given  the  public  key,  I\,  one  can  recover 
X  from  { .A }  /y ,  and  the  notational  choice  is  somewhat 
natural.  We  instead  use  1[X]k ’  to  represent  message  X 
digitally  signed  using  key  K.  In  most  modern  signa¬ 
ture  schemes  it  is  not  possible  to  recover  X  from  the 
signature  itself,  even  if  one  possesses  K.  Thus,  signing 
is  not  in  any  reasonable  sense  the  inverse  of  encryp¬ 
tion.  To  make  clear  that  we  are  assuming  a  standard 
signature  scheme  (without  message  recovery)  we  have 
adopted  this  notation.  ‘[X]#’  refers  to  the  signed  mes¬ 
sage,  not  just  the  signature.  Therefore,  anyone  in  pos¬ 
session  of  [A”]  ^  is  automatically  in  possession  of  X. 

Throughout  the  paper  p  and  p  are  metalinguistic  sym¬ 
bols  used  to  refer  to  arbitrary  formulae.  ,  is  a  metalin¬ 
guistic  symbol  referring  to  sets  of  formulae. 

1.2  The  SVO  Logic 

Our  logic  is  a  modal  logic  [Che80] .  It  has  two  inference 
rules: 

Modus  Ponens:  From  p  and  p  D  p  infer  p. 

Necessitation:  From  b  p  infer  b  P  believes  p. 

‘b’  is  a  metalingusitic  symbol.4  !,  b  p’  means  that  p 
is  derivable  from  the  set  of  formulae  ,  (and  the  axioms 
as  stated  below),  ‘b  p’  means  that  p  is  a  theorem,  i.e. , 
derivable  from  axioms  alone.  We  describe  derivability 
(i.e.  proofs)  below  in  §2.  Axioms  are  all  instances  of 
tautologies  of  classical  propositional  calculus  [Men87], 
and  all  instances  of  the  following  axiom  schemata5 : 

Believing  For  any  principal  P  and  formulae  p  and  p. 

4The  symbol  ‘h’  is  usually  pronounced  “turnstile”.  The  symbol 
‘1=’,  to  be  introduced,  is  pronounced  “double  turnstile”. 

5Some  of  the  following  are  proper  axioms,  logically.  Those  con¬ 
taining  metavariables  for  formulae  are  actually  axiom  schemata. 
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Axl.  P  believes  p  A  P  believes  (c p  D  ip)  D  P  believes  ib 

Ax2.  P  believes  p  D  P  believes  (P  believes  p) 

Axiom  Axl  says  that  a  principal  believes  all  that  logi¬ 
cally  follows  from  his  beliefs.  Axiom  Ax2  says  in  effect 
that  a  principal  can  tell  what  he  believes. 

Source  Association  Keys  are  used  to  deduce  the  iden¬ 
tity  of  the  sender  of  a  message. 

Ax3.  (P  -6-  Q  A  R  received  {X®}  k)  D 
(Q  said  X  A  Q  sees  K ) 

Ax4.  (PKa(Q,I<)  A  R  received  X  A  SV(X,A',I'))  D 
Q  said  Y 

Recall  that  ‘PKCT(<2,  A')’  says  that  K  is  the  public  sig¬ 
nature  verification  key  for  Q,  and  ‘SV (X,K,Y)’  says 
that  given  signed  message  X,  applying  K  to  it  as  a  sig¬ 
nature^  verification  key  verifies  1'  as  the  message  signed 
with  K.  In  saying  tPK£r(Q,  A')’  we  assume  enough  re¬ 
dundancy  in  the  signature  scheme  to  preclude  attackers 
possessing  only  K  from  producing  a  valid  signature  for 
Q  on  any  message,  meaningful  or  otherwise.  This  fea¬ 
ture  is  designed  into  most  modern  signature  schemes. 
Precise  meaning  is  set  out  in  §3.2. 

By  definition,  all  symbols  in  the  axioms  are  symbols  of 
the  languages  specified  above,  Tp  and  Mr-  Thus,  in 
particular,  the  X  in  these  axioms  is  a  message  not  a 
bitstring.  But,  a  key  can  be  applied  (by  anyone  who 
has  it)  to  any  bitstring  to  yield  another  bitstring.  This 
apparent  incongruity  is  handled  in  our  language  by  the 
unrecognized  message  symbols  {*i,*2,---},  which  will 
be  discussed  more  below.  The  superscripted  Q  in  ax¬ 
iom  Ax3  indicates  that  the  message  is  from  Q  (rather 
than  P).  Honest  principals  possessing  the  key  K  are 
assumed  to  be  able  to  correctly  indicate  message  ori¬ 
gin,  and  others  possessing  K  are  assumed  to  be  able  to 
evaluate  correctly  indicated  message  origin.  Principals 
not  possessing  K  are  assumed  to  be  unable  to  so  in¬ 
dicate  or  evaluate  origin.  (This  notation  is  admittedly 
an  inelegance.  There  is  no  standard  mechanism  to  indi¬ 
cate  who  a  message  is  from.  Even  if  a  message  contains 
an  encrypted  who-jrom  field  there  is  no  standard  place 
it  need  occur  in  an  authentication  protocol  message. 
Further,  some  contextual  mechanisms  do  not  explicitly 
indicate  the  sender  at  all.  For  example,  consider  the 
handshake  at  the  end  of  the  Needham-Schroeder  proto¬ 
col,  discussed  in  §2.1.  Leaving  redundancy  issues  raised 

We  will  generally  ignore  this  distinction,  referring  to  all  as 
‘axioms’. 


in  §2.1  aside,  message  4  indicates  that  it  is  from  B  sim¬ 
ply  by  being  the  first  use  of  the  distributed  key  Kai,. 
Message  5  is  indicated  to  be  from  .4  by  varying  the  (un¬ 
predictable)  plaintext  contents  of  message  4  in  a  pre¬ 
dictable  way  and  then  reencrypting  with  A'n&.  Whether 
such  mechanisms  are  appropriate  in  context  to  justify 
use  of  the  superscript  notation  is  something  that  should 
be  evaluated  extralogically.) 

Key  Agreement  Session  keys  that  are  the  result  of 
good  key-agreement  keys  are  good. 

Ax5.  ((PKs(P,Kp))  A  (PI< s(Q,Kq)))  D  P  Q 

Ax6.  p  =  p[Fo(K,K')/F0(K',K)] 

Recall  that  ‘PI<^(A,  A')’  says  that  K  is  the  public  key- 
agreement  key  for  R  and  implies  that  A'-1  remains 
secret.  Precise  meaning  is  set  out  in  §3.2.  Here 
‘Fo{Kp,Kq)’  implicitly  indicates  a  key  agreement  func¬ 
tion  as  in  Diffie-Hellman  key  exchange  [DH76].  The  in¬ 
dication  is  implicit  because  the  explicit  arguments  of 
F0  are  both  public  keys.  Key  agreement  is  a  func¬ 
tion  of  one  public  and  one  private  key.  The  function 
implied  by  F0  is  a  key  agreement  function  using  the 
public  key  in  the  first  argument  of  F0  with  the  pri¬ 
vate  key  corresponding  to  the  second  argument.  In  Ax6 
‘p[F0(K,  K') / F0(K' ,  K)]’  indicates  the  same  formula  as 
p  except  that  F0(K,K')  is  substituted  everywhere  that 
Fo(K',K )  occurs  in  p.  The  axiom  says  that  the  two 
formulae  are  logically  equivalent.  In  other  words,  the 
logic  respects  the  symmetry  of  key  agreement. 

Receiving  A  principal  receives  the  concatenates  of  re¬ 
ceived  messages  and  decryptions  with  available  keys,  as 
well  as  the  message  contained  in  any  received  signed 
message. 

Ax7.  P  received  (AA, . . .  tXn)  D  P  received  Xj 

Ax8.  (P  received  {X }k  A  P  sees  K )  D  P  received  X 

Ax9.  P  received  [.A]  /,■  D  P  received  X 

Seeing  A  principal  sees  anything  he  receives.  A  prin¬ 
cipal  also  sees  all  components  of  every  message  he  sees 
and  any  message  he  can  compute  from  what  he  sees. 
The  difference  in  meaning  between  seeing  and  receiving 
is  made  precise  in  §3.2. 

AxlO.  P  received  X  D  P  sees  X 

Axil.  P  sees  (AA, . . . , Xn)  D  P  sees  X 
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Axl2.  (P  sees  Xi  A  ...  A  P  sees  Xn)  D 
(P  sees  F(X1,...,Xn)) 

Here  F  is  meta-notation  for  any  function  feasibly  com¬ 
putable  in  practice  by  P,  for  example,  Ai  +  . . .  +  Xn. 
There  is  no  axiom  for  seeing  corresponding  to  axiom 
Ax8  for  receiving,  i.e. ,  (P  sees  { A" }  /,■  A  P  sees  K )  D 
P  sees  X.  Such  an  axiom  is  a  special  case  of  axiom 
Axl2,  where  F  is  the  application  of  K  to  {  A" }  /<-  ■ 

Comprehending  If  a  principal  comprehends  a  mes¬ 
sage  and  sees  a  function  of  it  (of  the  appropriate  type), 
then  he  understands  that  this  is  what  he  is  seeing. 

Axl3.  P  believes  (P  sees  F(X))  D  P  believes  ( P  sees  X) 

Here  F  is  meta-notation  for  any  effectively  one-one  func¬ 
tion  such  that  either  F  or  F  is  computable  in  practice 
by  P.  F  may  represent  encryption  or  decryption  where 
the  relevant  key  is  treated  as  a  parameter. 

This  axiom  is  fairly  subtle.  It  might  appear  to  imply 
that  P  can  invert  F,  i.e.,  can  readily  find  X  given  the 
value  of  F(X).  Actually,  if  P  can  calculate  F  but  not 
invert  it,  then  axiom  Ax  13  says  that  he  only  knows  he 
has  F( X)  if  he  already  knows  that  he  has  X.  This  axiom 
captures  what  we  want  of  GNY’s  recognizability.  Note 
that  the  converse  of  axiom  Axl3  is  a  theorem,  following 
from  axiom  Axl  and  axiom  Axl2  by  necessitation  and 
modus  ponens. 

Saying  A  principal  who  has  said  a  concatenated  mes¬ 
sage  has  also  said  and  sees  the  concatenates  of  that  mes¬ 
sage.  A  principal  who  has  recently  said  X  has  said  X. 

A  principal  sees  what  he  says. 

Axl4.  P  said  (Ah, . . . , Xn)  D  (P  said  Xj  A  P  sees  Xj) 

Axl5.  P  says  (Ah  . . . . ,  Xn)  D 

(P  said  (Ah, . .  • , Xn)  A  P  says  Ah) 

Jurisdiction  This  axiom  in  effect  says  that  P’s  word 
is  law  for  the  tp  in  question. 

Axl6.  (P  controls  tp  A  P  says  tp)  D  tp 

Freshness  A  concatenated  message  is  fresh  if  one  of  its 
concatenates  is  fresh,  and  any  effectively  one-one  func¬ 
tion  F  (including  encryption  and  decryption)  of  a  fresh 
message  is  fresh. 

Axl 7.  fresh(Xj)  D  fresh( X\ , . . . ,  Xn) 

Axl8.  fresh(X1 , . . . ,  A„)  D  fresh(F(X1 , . . . ,  A„)) 


The  function  F  in  axiom  Axl8  must  be  genuinely  de¬ 
pendent  on  the  fresh  component.  For  example,  if  Ah 
is  fresh,  then  (Ah,  Ah, X3.)  is  fresh;  however,  the  value 
of  Ah  +  (0  •  Ao)  +  Ah  is  not.  Specifically,  a  function  is 
genuinely  dependent  on  an  argument  if  computing  the 
value  of  the  function  is  infeasible  without  the  value  of 
that  argument. 

Nonce-Verification  Freshness  promotes  a  message 
from  having  been  said  (sometime)  to  having  been  said 
during  the  current  epoch. 

Axl9.  (fresh(X)  A  P  said  X)  DP  says  X 

Symmetric  goodness  of  shared  keys  A  shared  key 
is  good  for  P  and  Q  iff  it  is  is  good  for  Q  and  P. 

Ax20.  P  &  Q  =  Q  &  P 

2  Protocol  Analysis 

In  this  section  we  give  a  brief  description  of  our  syn¬ 
tactic  protocol  analysis  technique,  which  is  somewhat 
similar  to  the  techniques  associated  with  previous  BAN 
logics.  A  major  difference  is  that  we  do  not  idealize  the 
protocol.  (What  ‘idealize’  means  will  be  explained  in 
the  next  subsection.) 

Syntactic  analysis  comes  in  two  main  steps.  First,  we 
set  out  premises  that  reflect  assumptions  based  on  the 
protocol  description.  Second,  we  prove  desired  goals  us¬ 
ing  those  premises  together  with  the  axioms  and  rules  of 
the  logic.  These  steps  are  typically  carried  out  against 
a  background  of  goals  the  protocol  is  intended  to  meet. 
Should  we  fail  to  prove  one  or  more  of  these  goals,  we 
may  want  to  add  the  step  of  considering  why  the  proto¬ 
col  fails  to  meet  its  goals.  This  may  include  looking  for 
possible  attacks.  Relatedly,  we  may  semantically  ana¬ 
lyze  our  premises  to  see  if  any  of  them  can  be  false  in 
a  run  of  the  protocol.  (Semantics  is  discussed  below  in 

§3.) 

Premises  can  typically  be  grouped  into  four  types.  First 
are  initial  assumptions,  those  things  assumed  to  be  true 
at  the  start  of  the  protocol.  Examples  include  each  prin¬ 
cipal’s  belief  in  the  freshness  of  nonces  it  generates,  the 
goodness  of  long  term  keys  principals  share  with  servers, 
the  jurisdiction  of  a  server  over  the  quality  and  freshness 
of  keys  it  sends,  etc.  Also  included  are  premises  reflect¬ 
ing  a  principal’s  comprehension  of  terms  it  simply  has 
without  receiving  them  during  the  current  protocol  run 
and  premises  reflecting  a  principal’s  comprehension  of 
relevant  signature  verifications.  For  a  specific  example, 
consider  a  protocol  step  in  which  a  key  server  S  dis¬ 
tributes  a  key  to  principal  A  for  the  purpose  of  talking 
with  B: 
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S  — >  A:  {Ts,  B,  I<ab}KaB 

This  means  that  S  has  sent  the  following  to  .4  (all  en¬ 
crypted  with  Kas,  a  symmetric  key  shared  by  .4  and 
S):  a  timestamp,  Ts,  B’ s  identifier,  and  the  session 
key  Kab-  Premises  of  the  first  type  that  would  play  a 
role  in  analyzing  this  message  would  include  fresh(Ts), 

A  believes  fresh(Ts),  A  A^  B ,  and  A  believes  A  A^  S. 

Second  are  premises  reflecting  the  receipt  of  messages 
sent  in  a  protocol  run.  These  can  be  taken  directly  from 
the  protocol  specification.  The  corresponding  reception 
premise  for  the  protocol  step  just  presented  would  be 

A  received  {Ts,  B,  Kab}Koa  ■ 

These  are  often  unused  in  proofs,  but  they  help  in  the 
formation  of  later  premises. 

Third  are  premises  reflecting  what  is  comprehended  by 
each  principal  of  the  messages  he  receives.  Even  if  A 
receives  {Ts.  11.  Kni,}  •  she  might  not  understand  all 
of  the  message.  For  example,  the  random  nature  of 
distributed  keys  makes  them  inherently  unrecognizable 
(in  themselves  by  those  who  did  not  generate  them). 
Assuming  timestamps  and  names  are  recognizable,  a 
premise  of  this  type  corresponding  to  the  above  protocol 
step  would  be 

A  believes  A  received  {Ts,  B,*s}Kaa 

.  In  practice,  it  is  generally  clear  how  to  produce  such 
premises  from  the  premises  of  the  second  type  in  con¬ 
sideration  of  the  submessages  that  are  comprehended 
by  the  receiving  principal. 

Fourth  are  premises  reflecting  the  interpretation  that  a 
receiver  attaches  to  a  received  message.  (This  is  the 
primary  replacement  for  idealization.)  These  indicate 
what  the  receiver  assumes  the  sender  meant  by  a  given 
message.  For  the  above  protocol  step,  a  reasonable  can¬ 
didate  would  be 

.4  believes  (A  received  {Ts,  B,*s}Ka3  A 

A  received  {TS,B,A  B,fresh(Kab)}Ka3) 

This  is  only  a  candidate  since  the  actual  premise  ap¬ 
propriate  for  this  protocol  might  depend  on  features  of 
the  protocol  that  our  simple  example  does  not  capture, 
such  as  other  messages  A  has  sent  or  received.  We  will 
be  analyzing  an  actual  protocol  presently  and  will  then 
further  illustrate  and  discuss  premises  of  various  types. 

With  the  premise  set  established  we  attempt  to  derive 
various  goals  concerning  the  protocol.  A  proof  is  a  se¬ 
quence  of  formulae  in  the  logic.  Each  line  of  a  proof  is 
either  a  premise,  an  axiom,  or  derivable  from  preceding 


lines  via  modus  ponens  or  necessitation.  Our  notion  of 
proof  differs  from  Abadi  and  Tuttle’s  since  they  only 
allow  modus  ponens  to  apply  to  theorems  of  the  logic. 
This  would  preclude  premises  as  legitimate  lines  in  a 
proof.6 

In  AT  and  SVO  necessitation  must  always  be  restricted 
to  theorems.  This  is  a  crucial  point  about  proofs,  which 
may  be  missed  by  those  unfamilar  with  logic  per  se. 
Theorems  are  formulae  provable  from  axioms  alone. 
The  rule  of  necessitation  cannot  be  applied  to  any  of 
the  above  premise  examples  nor  to  any  line  in  a  proof 
that  depends  on  a  premise.  Otherwise  we  could  use 
necesitation  to  show  that  any  principal  believes  any¬ 
thing  that  we  have  assumed.  This  is  a  mistake,  even  if 
what  we  have  assumed  is  true.  For  example,  suppose 
that  A  A4  B  is  true.  We  do  not  want  to  therefore 
conclude  that  C  believes  A  B. 

Syntactic  analysis  of  the  type  just  described  is  all  that  is 
available  using  BAN,  GNY,  and  other  logics  without  an 
independent  semantics.  AT  and  SVO  add  another  level 
to  this  by  providing  an  independently  motivated  model- 
theoretic  semantics.  In  addition  to  other  values,  this 
allows  one  to  do  semantic  analysis  of  the  protocol.  One 
advantage  of  this  is  a  rigorous  means  of  assessing  the 
truth  of  initial  assumptions  and  other  premises.  Prob¬ 
lems  arising  from  initial  assumptions,  as  in  the  Nessett 
protocol  [Nes90],  are  thus  addressible  using  these  logics. 
(Cf.  [Syv92]  for  a  detailed  discussion.)  We  now  look  at 
a  specific  example  to  illustrate  our  analysis  technique. 

2.1  The  Needham-Schroeder  Protocol 

NS  is  a  typical  protocol  for  key  distribution  to  two  prin¬ 
cipals  via  an  on-line  authentication  and  key  distribution 
server  [NS78].  It  is  also  a  standard  example  for  analysis 
because  it  is  subject  to  an  attack  that  has  long  been 
well  known  [DS81].  The  protocol  is  as  follows: 


1. 

A  - 

-A  S  : 

A,B,Na 

2. 

S  - 

-A  A  : 

{A ra,B,  Kab ,  {  Kah ,  .4}  /v,  }Ka 

3. 

A  - 

A  B  : 

{Kab,  -4}  Kh, 

4. 

B  - 

-A  A  : 

iNb  }  Kab 

5. 

A  - 

A  B  : 

{Nb  ~  1}  K„h 

In  the  first  message  A  tells  the  server  that  she  would  like 
to  obtain  a  session  key  for  talking  with  B ,  and  she  in¬ 
cludes  a  nonce,  Na,  for  S  to  include  in  his  response  thus 

6Our  choice  to  characterize  proofs  in  this  way  has  important 
repercussions  for  other  features  of  the  logic.  In  AT,  since  every 
line  of  a  derivation  must  be  a  theorem  of  the  logic,  it  is  necessary 
for  analysis  to  restrict  consideration  to“good”  runs  where,  e.g., 
negations  do  not  occur  within  belief  operators  in  initially  held 
beliefs.  We  need  place  no  such  restrictions.  (These  restrictions 
are  not  present  in  [AT91]  simply  to  make  derivations  sound;  they 
have  other  motivations  as  well,  which  we  will  not  discuss.) 
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identifying  it  as  a  response.  In  the  second  message,  S 
sends  A  the  session  key,  Kab ,  B’s  name  indicating  that 
it  is  for  a  session  with  B,  and  A’s  nonce.  He  also  in¬ 
cludes  a  message  encrypted  with  a  key  S  shares  with 
B  consisting  of  the  session  key  and  A’s  name  to  show 
that  the  key  is  for  talking  with  .4.  The  whole  second 
message  is  encrypted  with  a  key  that  S  shares  with  A. 
A  decrypts  the  message,  and,  if  the  nonce  and  B’s  name 
agree  with  the  message  she  sent,  she  forwards  the  por¬ 
tion  encrypted  for  B  to  B  in  message  3.  B  decrypts  this 
to  obtain  the  session  key.  He  then  generates  a  nonce  and 
encrypts  it  with  Kab  and  sends  this  to  .4.  .4  decrypts  the 
nonce  and  subtracts  one  from  it  (to  distinguish  the  fi¬ 
nal  message  from  a  simple  reflection  of  message  4,  which 
could  be  from  anyone) .  She  then  encrypts  this  with  I\ab 
and  sends  it  to  B. 

2.2  Analysis  of  the  NS  protocol 

The  first  step  in  analyzing  the  protocol  is  to  set  out  the 
assumptions  that  we  make  based  on  the  protocol  spec¬ 
ification.  These  will  serve  as  premises,  which  we  will 
use  together  with  the  axioms  and  rules  of  the  logic  to 
derive  conclusions.  Generic  assumptions  include  each 
principal’s  belief  that  the  nonces  it  generates  are  fresh, 
belief  that  the  server  has  jurisdiction  over  the  freshness 
and  goodness  of  session  keys  it  sends,  and  belief  that 
the  long  term  key  it  shares  with  the  server  is  good.  For¬ 
mally,  these  are 

PI  A  believes  fresh(Na) 

B  believes  fresh(Nb) 

P2  A  believes  S  controls  {A  AA  B) 

B  believes  S  controls  (.4  A^  B ) 

P3  .4  believes  S  controls  ( fresh(Kab )) 

B  believes  S  controls  ( fresh(Kai ,)) 

P4  A  believes  (A  Aa  S ) 

B  believes  ( B  A^»  S ) 

We  also  assume  that  each  of  the  principals  received  the 
messages  they  were  sent.  (Since  we  do  not  use  the  first 
message  in  our  analysis,  we  do  not  bother  with  a  corre¬ 
sponding  premise.) 

P5  A  received  {Na,B,Kab,{Kab,A}Kie}Kae 
P6  B  received  {Kab,  A}xba 
P7  A  received  {Nb}Kah 
P8  B  received  {Nb  —  1  }Kai 


Received  messages  are  not  necessarily  understood.  We 
must  explictly  include  in  the  premise  set  what  messages 
are  understood  by  the  principals  and  what  those  mes¬ 
sages  mean.  Thus,  we  include  A  believes  A  received  X 
for  each  message  A"  that  A  is  assumed  to  comprehend 
based  on  redundancy  or  an  expectation,  e.g.,  a  nonce 
A  sent  out — and  similarly  for  B.  (We  have  not  in¬ 
cluded  any  premise  corresponding  to  P7  (message  4) 
since  there  is  nothing  in  that  message  that  is  compre¬ 
hensible  to  A.) 

P9  .4  believes  A  received  {Na,B,*i,*o}Kaa 
P10  B  believes  B  received  {+3,  .4} /,-,3 
Pll  B  believes  B  received  {Nb  —  1}«3 

Finally,  we  include  premises  corresponding  to  the  as¬ 
sumed  meaning  that  principals  attach  to  received  mes¬ 
sages.  (These  correspond  to  the  assumptions  implicit  in 
idealizing  a  protocol  as  in  [BAN89].) 

P12  .4  believes  (.4  received  {Na,B,*i,*2}Kaa  A 

A  received  {Na,B,A  AA  B,fresh(I<ab),  *o}Ka  J 

P13  B  believes  (B  received  {*3,  A}xba  A 

B  received  {.4  AA  B,fresh(Kab)}Kba ) 

P14  B  believes  (( B  received  {*3,  A}f(ia  A 

B  received  {Nb  —  1}*3)  D 
B  received  {ATb  —  1}a0J 

These  premises  preclude  automated  analysis  because 
they  typically  vary  from  protocol  to  protocol  even  for 
a  message  with  the  same  specification.  Mao  and  Boyd 
have  a  BAN-like  formal  method  that  does  allow  for  full 
automation  [MB93].  They  accomplish  this  by  requiring 
that  the  protocol  be  specified  in  their  own  language,  at 
a  much  greater  level  of  detail  than  usual.  In  a  sense, 
they  thus  incorporate  the  idealization  into  the  speci¬ 
fication.  GNY  does  something  similar  in  its  message 
interpretation  rules. 

Note  that,  in  P14,  for  B  to  believe  he  has  received 
{Nb  —  l}A'af,  it  is  not  enough  that  he  receive  the  message 
that  he  interprets  to  say  this;  he  must  also  believe  he 
has  received  the  previous  message  in  which  S  told  him 
Kab.  Without  the  previous  message,  he  would  not  have 
the  key  and  could  not  recognize  it  as  a  (candidate)  key 
for  speaking  with  A. 

We  can  now  proceed  with  our  formal  derivation  of  goals 
using  SVO.  In  the  interests  of  brevity,  we  will  compress 
many  of  the  proof  steps  together,  and  we  will  not  cite 
the  use  of  propositional  reasoning  used  in  giving  the 
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justification  for  derivation  lines.  The  first  derivation  is 
of  goals  for  .4.  We  will  discuss  some  typical  goals  for 
protocols  in  §4.1.  The  goals  we  derive  here  are  that  A 
believes  the  distributed  key  is  good  for  talking  with  B 
(line  5)  and  that  A  believes  the  distributed  key  is  fresh 
(line  6).  In  the  justification  of  each  line  in  any  deriva¬ 
tion,  ‘Ax?r’  refers  to  axiom  Axn  of  our  logic,  ‘Nec’  to 
the  Necessitation  rule,  and  ‘MP’  to  the  Modus  Ponens 
rule. 

1.  A  believes 

A  received  {Na,B,A  <r^A  B,fresh(Kai)),*2}Kas 
by  P9,  P12,  Axl,  MP 

2.  A  believes  S  said  (Na,B,A  -h^A  b ,  fresh{I\ „/,) ,  *o) 

by  1,  P4,  Ax3,  Axl,  Nec,  MP 

3.  A  believes  fresh(Na,B,A  e^A  B,fresh{Kab),*2 ) 

by  PI,  Axl7,  Axl,  Nec,  MP 

4.  A  believes  S  says  ( Na,B,A  e^A  B,fresh(Kab),*2 ) 

by  2,  3,  Axl9,  Axl,  Nec,  MP 

5.  A  believes  A  e^A  B 

by  4,  P2,  Axl5,  Axl6,  Axl,  MP 

6.  A  believes  fresh(Ka *,) 

by  4,  P3,  Axl5,  Axl6,  Axl,  MP 

We  now  derive  goals  for  B.  These  are  rather  different 
than  for  A.  B  can  only  conclude  that  S  once  said  that 
the  key  is  is  good  for  talking  to  .4  and  that  it  is  fresh 
(lines  3  and  4  below).  He  cannot  conclude  that  the  key 
is  good  or  fresh.  He  can  also  confirm  the  existence  of 
some  currently  active,  far  end  party  who  knows  the  key 
(line  5  below). 

1.  B  believes  B  received  {A  i^A  B,fresh{Kab),A}KbB 

by  P10,  P13,  Axl,  MP 

2.  B  believes  S  said  (.4  t^A  B ,fresh{Kab),  A) 

by  1,  P4,  Ax3,  Axl,  Nec,  MP 

3.  B  believes  S  said  A  ^A  B 

by  2,  Axl4,  Axl,  Nec,  MP 

4.  B  believes  S  said  fresh(Kab) 

by  2,  Axl4,  Axl,  Nec,  MP 

5.  B  believes  B  received  {Nf,  —  l}Kab 

by  P10,  Pll,  P14,  Axl,  MP 

2.2.1  SVO  vs.  BAN  analysis  of  the  NS  protocol 

We  now  discuss  the  results  of  our  analysis  and  contrast 
them  with  those  of  the  analysis  of  NS  in  [BAN89].  We 
feel  that  the  above  analysis  is  about  as  simple  as  the  one 
in  [BAN89].  While  there  can  be  no  objective  measure 
of  this,  we  emphasize  that  the  proofs  in  [BAN89]  are 


sketchier  than  the  above.  This  may  lead  to  an  appear¬ 
ance  of  greater  simplicity.  We  now  turn  to  the  premises 
of  each  analysis. 

P1-P4  constitute  a  subset  of  the  assumptions  given  in 
[BAN89].  The  BAN  assumptions  also  include  assump¬ 
tions  about  the  server’s  belief  in  the  quality  of  the  long 
term  keys  and  the  quality  and  freshness  of  distributed 
session  keys.  While  reasonable,  they  are  unnecessary  for 
the  analysis  given  in  [BAN89]  or  the  one  herein,  so  we 
have  left  them  out.  It  is  interesting  to  note  that,  even 
if  unnecessary,  these  assumptions  are  more  natural  in 
the  context  of  BAN  analysis  since  it  is  there  necessary 
to  derive  that  A  believes  S  believes  A  <r^A  B  in  or¬ 
der  to  derive  A  believes  A  <-^A  B.  These  assumptions 
thus  attest  to  the  consistency  of  such  a  second  order 
belief  with  the  first  order  belief  that  is  its  object.  In 
other  words,  if  these  assumptions  of  first  order  belief 
are  true,  then  the  corresponding  second  order  beliefs 
cannot  be  incorrect.  In  our  analysis,  this  second  order 
belief  is  replaced  with  the  more  conservative  formula 
A  believes  S  says  A  <-^A  B.  Nonetheless,  note  that  as¬ 
sumptions  such  as  P2,  which  are  common  in  such  anal¬ 
ysis,  can  be  somewhat  dangerous  [v093a]. 

The  assumptions  in  [BAN89]  also  include  the  assump¬ 
tion  that  B  believes  the  session  key  to  be  fresh.  As 
noted  by  Burrows  et  ah,  this  is  a  dubious  assumption 
that  overlooks  the  possibility  of  attacks  in  which  an 
old,  compromised  session  key  is  used,  such  as  in  the 
Denning-Sacco  attack.  It  is  included  in  [BAN89]  not 
because  the  authors  think  it  is  justifiable,  but  to  illus¬ 
trate  that  a  desirable  protocol  goal  cannot  be  reached 
without  it. 

P5-P8  reflect  the  messages  that  each  principal  receives. 
These  directly  reflect  the  specified  protocol  without  any 
interpretation  of  message  contents,  as  would  occur  in 
idealization.  They  correspond  to  premises  based  on 
the  protocol  annotation  step  of  analysis  in  [BAN89];  al¬ 
though  in  a  BAN  analysis,  protocols  are  annotated  only 
after  idealization.  As  would  typically  be  the  case,  these 
premises  play  no  role  in  our  proofs;  however,  they  do 
play  a  role  in  our  analysis  by  helping  us  to  see  what  the 
following  premises  should  look  like. 

P9-P11  do  not  directly  correspond  to  anything  in  BAN 
analysis,  except  perhaps  to  global  assumptions  about 
the  recognizability  of  messages.  They  reflect  which 
parts  of  received  messages  receivers  can  tie  back  to  orig¬ 
inally  understood  message  components  or  to  each  other. 

P12-P14  reflect  how  receivers  interpret  received  mes¬ 
sages  in  the  context  of  the  given  protocol.  They  are 
typically  the  hardest  premises  to  produce,  sometimes 
requiring  awareness  of  intended  application  and  con- 
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text  in  addition  to  the  protocol  specification.  These 
correspond  roughly  to  idealization  and  annotation  in 
[BAN89].  There,  idealization  interprets  the  meaning  of 
messages,  and  annotation  allows  the  assumption  of  a 
premise  expressing  that  the  receiver  received  the  ideal¬ 
ized  message  he  was  sent.  The  BAN  approach  is  typi¬ 
cally  a  little  less  explicit.  This  lack  of  explicitness  nat¬ 
urally  engenders  less  detail  of  expression  (hence  greater 
simplicity  in  appearance). 

The  idealization  of  NS  from  [BAN89],  expressed  in  our 
notation,  is  as  follows: 


2-  S  — >  A  :  { Na ,  (A  A^A  B),fresh(Kab ), 

{A  AA  B} Kbs}Kas 
{A  <  B}KbB 
{ Nb ,  (A  AA  B)} Kab  from  B 
{ Nb ,  (A  AA  B)}Kab  from  A 

We  will  now  illustrate  the  significance  of  one  important 
difference  between  our  receiver’s  interpretation  premises 
and  BAN’s  idealization  and  annotation  in  the  context 
of  what  is  provable  from  them. 


Derived  Goals  of  the  analysis  in  [BAN89]  include  that 

A  believes  that  B  believes  A  AA  B.  Nothing  compa¬ 
rable  is  provable  in  the  above  analysis.  Since  this  is  a 
desirable  result,  the  above  analysis  might  be  too  weak. 
Whence  the  difference? 


Idealization  attaches  one  meaning  for  both  the  sender 
and  the  receiver;  whereas  receiver’s  interpretation 
premises  attach  only  the  meaning  for  the  receiver.  Thus, 
in  [BAN89],  the  inclusion  of  A  -(—A  B  in  the  idealization 
of  messages  4  and  5  is  to  assure  “each  principal  that  the 
other  believes  the  key  is  good.  These  statements  can 
be  included  because  neither  message  would  have  been 
sent  if  the  statements  were  not  believed.”  [BAN89],  p. 
19.  The  inclusion  is  thus  based  on  the  intended  mean¬ 
ing  of  a  message  on  the  part  of  the  sender.  However, 
BAN  annotation  based  on  this  idealization  allows  us  to 
derive  that  A  believes  that  B  once  said  A  ^A  B.  And, 
based  on  this  we  can  prove  that  A  believes  that  B  be¬ 
lieves  A  -(-A-  B.  In  other  words,  BAN  analysis  allows 
us  to  prove  things  about  the  receiver’s  interpretation  of 
a  message  based  on  the  interpretation  intended  by  the 
sender.  Unfortunately,  it  is  possible  to  slip  an  attack 
between  these  two  interpretations. 

We  hasten  to  emphasize  that  what  we  are  about  to 
look  at  is  not  an  attack  on  NS  per  se.  Rather  it  is 
an  analysis  of  NS  that  shows  it  is  incorrect  to  conclude 
based  on  the  specification  that  A  believes  that  B  be¬ 
lieves  A  AA  B.  There  is  nothing  in  [NS78]  to  indicate 


that  NS  was  meant  to  achieve  mutual  belief  in  shared 
keys  or  even  entity  authentication  of  B  to  A.  (It  was 
intended  to  achieve  key  freshness  for  B  via  entity  au¬ 
thentication  of  A  to  B,  and,  if  we  assume  session  keys 
can  be  obtained  by  adversaries  within  the  lifetime  of 
long  term  keys,  then  it  did  not  succeed  in  this  [DS81].) 
Thus  the  following  reveals  a  limitation  of  the  BAN  anal¬ 
ysis  technique,  rather  than  a  flaw  in  the  NS  protocol. 

Suppose  that  the  NS  protocol  runs  properly  through  the 
sending  of  the  third  message,  but  an  attacker  intercepts 
this  message  so  it  is  never  received  by  B.  In  place  of 
message  4,  the  attacker  simply  sends  a  random  string 
of  the  appropriate  length.  A  then  ‘decrypts’  this  string 
using  Kab.  Since  there  is  nothing  in  the  message  that  is 
recognizable  to  A,  she  cannot  tell  whether  the  result  is  a 
nonce  sent  by  B.  So,  she  subtracts  one  from  the  result, 
reencrypts  it  with  Kab,  and  sends  it  to  B  as  message  5. 
This  is  also  intercepted  by  the  attacker. 

According  to  the  analysis  in  [BAN89],  after  a  run  of 
NS  A  believes  that  B  has  expressed  faith  in  the  qual¬ 
ity  of  Kab-  But,  in  this  attack  B  is  not  even  present. 
Thus,  the  derivation  is  misleading  with  respect  to  both 
entity  authentication  and  mutual  belief  in  the  quality 
of  a  shared  key.  This  attack  is  much  easier  to  imple¬ 
ment  than  the  Denning-Sacco  attack  since  it  does  not 
require  any  key  compromise  in  order  to  succeed.  As  al¬ 
ready  noted,  however,  it  is  not  an  attack  on  intended 
protocol  goals.  We  also  hasten  to  note  that  it  falls  ex¬ 
plicitly  outside  the  scope  of  the  analyses  in  [BAN89].  In 
[BAN89],  there  is  a  blanket  assumption  that  “[e]aeh  en¬ 
crypted  message  contains  sufficient  redundancy  to  allow 
a  principal  who  decrypts  it  to  verify  that  he  has  used 
the  right  key.”  (pp.  5-6)  There  is  thus  no  flaw  in  the 
analysis  of  NS  therein. 

Further,  the  blanket  assumption  is  frequently,  if  not  uni¬ 
versally,  a  reasonable  assumption  to  make.  In  particu¬ 
lar,  the  attack  would  not  be  possible  in  many  modern 
implementations  of  the  protocol.  In  practice  encryp¬ 
tion  often  contains  a  mechanism  to  check  that  when  de¬ 
crypted  the  correct  decryption  key  was  used,  for  exam¬ 
ple,  including  a  hash  of  the  message  content  along  with 
that  content  inside  the  encryption.  This  is  not  repre¬ 
sented  in  the  NS  protocol  specification;  though  it  would 
be  trivial  to  do  so.  Even  though  the  blanket  assump¬ 
tion  pushes  protection  against  such  attacks  outside  the 
scope  of  [BAN89] ,  it  is  certainly  possible  to  represent  the 
protection  mechanisms  in  question  at  the  specification 
level  of  [BAN89].  And,  there  are  protocols  for  which  it 
is  inadvisable  to  include  the  redundancy  generally  as¬ 
sumed  in  [BAN89].  (For  example,  cf.  [BM92,  BM93].) 
Thus,  it  is  better  to  represent  such  mechanisms  in  the 
specification  whenever  they  are  actually  intended. 
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We  have  focussed  on  equating  sender’s  and  receiver’s 
meaning  in  a  BAN  analysis  as  opposed  to  an  SVO  anal¬ 
ysis.  There  is  another  feature  of  SVO  analysis  that  is 
equally  important  to  uncovering  the  limited  applicabil¬ 
ity  of  NS  for  entity  authentication  of  B  to  .4:  our  re¬ 
quirement  that  premises  explicitly  set  out  what  princi¬ 
pals  comprehend.  This  immediately  brought  out  that 
A  does  not  comprehend  Nb  in  this  protocol.  Thus,  a  re¬ 
sult  showing  that  A  understood  anything  by  receiving 
message  4  would  have  to  be  incorrect. 

Note  also  that  our  logical  derivations  do  not  themselves 
lead  to  our  discovery.  Rather  we  are  only  able  to  prove 
limited  results  because  the  relevant  premises  make  as¬ 
sumptions  only  about  a  receiver’s  interpretation  of  a 
message.  The  inability  to  prove  desired  goals  in  this 
case  is  one  factor  in  uncovering  the  inapplicability  of  NS 
for  entity  authentication  of  B  to  .4.  As  noted  by  the 
philosopher  of  mathematics  Imre  Lakatos,  sometimes 
the  virtue  of  logical  proof  is  not  that  it  compels  belief 
but  that  it  suggests  doubt.  (We  discuss  some  typical 
goals  that  protocols  might  be  intended  to  meet  in  §4.1.) 

Finally,  though  we  have  entirely  replaced  idealization, 
we  do  not  claim  to  have  removed  the  possiblility  of  er¬ 
ror  in  interpreting  the  meaning  of  messages.  What  we 
have  replaced  idealization  with  is  further  assumptions 
(premises)  for  each  protocol.  And,  though  the  latter 
may  seem  more  complicated,  we  are  simply  being  ex¬ 
plicit  where  analogous  reasoning  was  done  implicitly  in 
BAN  analysis.  It  is  still  possible  to  incorrectly  assume 
that  receipt  of  a  given  message  in  a  given  context  implies 
that  a  certain  content  has  been  received.  Relatedly,  our 
model-theoretic  semantics  can  be  used  to  rigorously,  al¬ 
beit  informally,  evaluate  the  truth  of  all  premises. 

3  Semantics  for  SVO 

3.1  Model  of  Computation 

Computation  is  performed  by  a  finite  set  of  principals, 
Pi, ...  ,Pn,  who  send  messages  to  one  another.  In  ad¬ 
dition  there  is  a  principal  Pe  representing  the  environ¬ 
ment.  This  allows  modelling  of  any  penetrator  actions 
as  well  as  reflecting  messages  in  transit. 

Each  principal  Pj  has  a  local  state  Sj.  A  global  state 
is  thus  an  (n  +  l)-tuple  of  local  states.  Principals  can 
perform  three  actions:  sending  a  message,  receiving  a 
message,  and  generating  new  data,  such  as  keys.  These 
are  denoted  by  send(X,  G),  received),  and  generate(X) 
respectively.  One  can  send  and  receive  any  message, 
but  one  can  only  generate  primitive  terms,  i.e. ,  mem¬ 
bers  of  T.  Other  than  generating  new  data,  internal 
computations  are  not  represented  as  actions.  They  are 
represented  implicitly.  Each  action  produces  a  transi¬ 


tion  from  one  state  to  the  next.  Note  that  receiving  is 
an  action,  performed  by  the  principal  Pj  who  receives 
a  message.  The  action  itself  is  viewed  as  the  nondeter- 
ministic  choice  of  some  message  from  P,:’s  buffer.  This 
is  why  it  is  listed  as  having  no  argument.  Once  per¬ 
formed,  however,  the  resulting  local  state  reflects  which 
message  was  received,  e.g.,  receive(X).  Sending  is  al¬ 
ways  directed  to  a  set  of  principals,  G.  If  only  one 
principal  is  the  intended  recipient,  G  is  a  singleton.  If 
a  message  is  indiscriminantly  broadcast,  G  is  the  set  of 
all  principals. 

A  run  is  an  infinite  sequence  of  global  states  indexed 
by  integral  times.  The  first  state  of  a  given  run  r  is 
assigned  a  time  tr  <  0.  The  initial  state  of  the  current 
authentication  is  at  t  =  0.  The  global  state  at  time  t,  in 
run  r  is  r(t),  and  the  corresponding  projection  to  Pi  s 
local  state  is  r,:(t).  We  may  also  write  r(t)  as  ‘(r, t)\ 
We  will  also  occasionally  refer  to  global  states  thus  rep¬ 
resented  as  points  or  (possible)  worlds.  (Cf.  §3.2  under 
Believing.) 

The  local  state  of  each  principal  includes  a  local  history 
of  all  the  actions  the  principal  has  performed  up  to  that 
point  and  a  set  of  available  transformations.  These  are 
the  computations  that  are  feasibly  computable  by  that 
principal.  Typically,  for  a  given  principal,  Pj.  the  avail¬ 
able  transformations,  .4,:,  consists  of  arbitrary  numbers 
of  applications  of  the  message  formation  rules  (including 
term  formation  rules  and  formula  formation  rules)  in  the 
definition  of  the  language  of  messages,  Mr ,  up  to  the 
computational  complexity  limitations  of  that  principal. 
These  include  encryptions  and  decryptions  with  avail¬ 
able  keys  as  well  as  other  functions  the  principal  may 
perform,  e.g.,  hashes,  signatures,  arithmetical  functions, 
etc.  While  the  number  of  messages  known  to  a  princi¬ 
pal  may  increase  over  time,  his  computational  ability  to 
form  new  messages,  i.e.  At,  is  assumed  to  stay  fixed.  All 
principals  are  assumed  to  be  able  to  decide  the  equality 
of  any  messages  they  can  produce  from  what  they  have. 
For  example  suppose  a  public  key  ciphering  scheme  is 
being  used  in  which  encryption  and  decryption  are  com¬ 
mutative,  such  as  RSA.  If  Pt  has  message  A"  and  Kj, 
the  public  encryption  key  of  Pj ,  then  Pj  can  verify,  given 
{X}K-i,  that  A"  =  {{X}k-i}k.  even  if  he  cannot  form 

{X}K7'- 

3 

The  environment’s  state  consists  of  a  global  history,  a 
set  of  transformations  available  to  the  environment,  and 
a  message  buffer  m for  messages  sent  to  Pj  and  not 
yet  received.  We  limit  the  set  of  runs  to  those  where 
a  given  message  can  only  be  received  after  it  is  sent. 
Thus,  if  receive(X)  is  in  the  local  history  at  r,:(t),  then 
send(X,G )  is  in  the  local  history  at  some  where 
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t'  <  t. 

As  mentioned,  transformations  on  a  message  are  im¬ 
plicitly  made  when  that  message  is  sent  or  received. 
For  example,  if  a  principal  receives  an  encrypted  mes¬ 
sage  { A" }  k  and  he  has  K,  then  he  has  also  received  X. 
Specifically,  the  set  of  explicitly  received  messages  for  a 
principal  P-,  at  a  point  (r,t)  contains  the  following:  (1) 
all  messages  X  such  that  receive( X)  appears  in  the  local 
message  history  at  or  prior  to  t,  (2)  the  concatenates  of 
any  concatenated  received  message,  (3)  any  message  X 
for  which  {AT}#  is  a  received  message  and  appropriate 
application  of  K  is  an  available  transformation  for  Pit 
and  (4)  any  message  X  for  which  [AT]jf  is  a  received 
message  for  some  K.  Note  that  under  this  definition,  if 
Pi  receives  an  encrypted  message  and  later  acquires  the 
decryption  key,  the  decryption  is  a  received  message  at 
that  later  point  in  the  run. 

For  a  given  principal  Pj,  the  collection  of  all  messages 
that  are  explicitly  received,  newly  generated,  or  initially 
available  to  Pj  implicitly  defines  a  set  of  seen  messages 
for  him  at  that  point.7  This  consists  of  the  messages 
just  mentioned  plus  all  the  messages  he  can  recursively 
produce  from  those  messages  via  his  available  transfor¬ 
mations  (up  to  the  limits  of  his  computational  capabil¬ 
ities). 

Rather  than  being  explicit,  some  received  messages 
are  highly  contextual.  For  example,  we  saw  in  the 
Needham-Schroeder  protocol  that  receiving  a  random 
number  in  a  certain  context  could  be  interpreted  as  im¬ 
plying  receipt  of  a  session  key  and  even  of  statements 
about  the  session  key.  In  fact  the  received  message  need 
have  no  explicit  connection  to  the  implicit  message  at 
all.  The  full  set  of  received  messages  for  a  principal 
Pj  at  a  point  (r,  t )  includes  the  explicitly  received  mes¬ 
sages  plus  any  such  implicitly  received  messages.  While 
anything  might  be  implied  by  a  message,  the  implic¬ 
itly  received  messages  for  P*  at  (r,  t)  are  limited  to  the 
seen  messages  for  Pj  at  (r,  t).  Similarly,  our  model  is 
restricted  to  runs  where  principals  can  only  send  what 
they  see.  Thus,  if  send( X,  G )  is  in  the  local  history  at 
then  X  is  in  the  seen  messages  at  r,;(f). 

The  said  messages  are  also  a  subset  of  the  seen  mes¬ 
sages;  we  cannot  hold  a  principal  responsible  for  say¬ 
ing  everything  that  is  derivable  by  him  from  things 
he  said.  For  example,  if  A  sends  {Tn.  K.  C)  Knh  to  P, 
we  should  infer  that  A  said  (Ta,K,C).  However,  even 
though  we  can  infer  that  A  sees  C  sees  K  from  this  ac¬ 
tion,  we  should  not  infer  that  A  said  C  sees  K  based  on 

7The  set  of  seen  messages,  and  the  sets  of  received  and  said 
messages  to  be  defined  presently,  will  be  slightly  expanded  below. 
Cf.  the  discussion  under  Believing  in  §3.2. 


it.  Given  a  message  M  that  P,  sends  at  (r,t),  we  de¬ 
fine  the  said  submessages  of  M  by  recursively  adding  to 
{M}  the  following:  (1)  the  concatenates  of  all  concate¬ 
nated  submessages  of  M,  (2)  the  unencrypted  message 
of  any  encrypted  submessage  of  M  for  which  Pj  has  the 
encryption  key  and  for  which  he  sees  the  unencrypted 
message,  (3)  the  unsigned  message  in  any  signed  sub- 
message  of  M  for  which  Pj  has  the  signature  key  and 
sees  the  unsigned  message,  and  (4)  the  unhashed  mes¬ 
sage  in  any  hashed  submessage  of  M  for  which  he  sees 
the  unhashed  message.  (5)  any  message  M'  such  that 
Pj  sees  M'  and  Pj  meant  to  imply  M'  by  saying  a  sub¬ 
message  of  M.  Implicit  in  saying  that  Pj  has  the  key  or 
hash  function  in  the  above  is  that  Pj  also  possesses  an 
algorithm  that  is  feasibly  computable  in  practice  by  him 
and  that  produces  the  relevant  transformation.  The  set 
of  said  messages  for  Pj  at  (r,  t)  is  the  union  of  the  sets 
of  said  submessages  of  all  messages  that  P  has  sent  in 
r  through  time  t. 

3.2  Truth  Conditions 

We  now  set  out  the  conditions  under  which  a  formula 
is  assigned  to  be  true.  We  begin  by  fixing  a  system,  i.e. 
a  set  of  runs,  1Z.  Truth  of  a  formula  ip  at  a  point  (r,  t), 
written  ‘(r,t)  \=  <p\  is  inductively  defined  below.  ‘|=  tp’ 
means  that  tp  is  valid  (true  at  all  points). 

Logical  Connectives 

(r,  t)  \=  p  A  tp  iff  (r,t)  |=  < p  and  (r,  t)  \=  ip 
{ r,t )  |=  -xp  iff  (r,t)  | £  ps 

Receiving 

(r,  t)  \=  P  received  X 

iff  X  is  in  the  set  of  received  messages  for  P  at  (r,  t),  as 
defined  in  §3.1. 

Seeing 

(r,  t)  \=  P  sees  X 

iff  X  is  in  the  set  of  seen  messages  for  P  at  (r,t),  as 
defined  in  §3.1. 

Saying 

(r,  t)  \=  P  said  X 

iff,  for  some  message  M,  at  some  time  t'  <  t  in  r,  P  sent 
M  and  X  is  a  said  submessage  of  M  for  P  at  (r,  t'). 
This  gives  the  truth  conditions  for  P  having  said  X 
at  some  point  in  the  past.  We  also  characterize  what 
in  means  for  P  to  have  said  X  in  the  current  epoch 
(typically  taken  to  mean  since  the  initial  point  of  the 
current  protocol  run). 

(r,  t)  |=  P  says  X 

\p  p'  means  it  is  not  the  case  that  (r,t)  \=  ip. 
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iff,  for  some  message  M,  at  some  time  0  <  t'  <  t  in  r, 
P  sent  M  and  A"  is  a  said  submessage  of  M  for  P  at 

M. 

Jurisdiction 

(r,  t)  \=  P  controls  <p 

iff  (r,t)  \=  P  says  ip  implies  (r,  t1)  |=  <p  for  all  t'  >  0. 
Note  that  jurisdiction  constitutes  authority  at  all  points 
in  the  current  epoch,  not  just  at  the  time  P  says  p. 
This  makes  it  a  very  strong  property.  Attributions  of 
jurisdiction  are  typically  part  of  initial  assumptions  and 
should  be  made  sparingly  and  judiciously. 

Freshness  A  message  is  fresh  if  it  has  not  been  part  of 
a  message  sent  prior  to  the  current  epoch.  It  is  sufficient 
but  not  necessary  for  freshness  that  a  message  be  unseen 
prior  to  the  current  epoch.  A  principal  might  generate 
a  message  earlier  and  not  send  it  until  the  epoch  begins. 
Truth  conditions  are  thus  in  terms  of  the  what  has  been 
said  rather  than  what  has  been  seen. 

(r,t)  |=  fresh(X) 


produce  himself,  we  need  a  way  to  refer  to  the  result  of 
verifying  the  origin  of  that  message. 

('••/)  |=  sv(y,  A',x) 

iff  there  exists  a  K  such  that  it  can  be  verified  using  K 
that  Y  =  [Af]~. 

Note  that  the  truth  conditions  for  SV (AT,  K.  Y)  are  not 
contextual.  They  hold  at  one  point  iff  they  hold  at  all 
points.  Thus,  we  are  implicitly  assuming  that  the  rel¬ 
evant  signature  verification  algorithm  is  in  At  for  all 
principals  Pj  at  all  points.  With  this  in  place  we  can 
give  the  truth  conditions  associated  with  public  key  sig¬ 
nature  keys. 

(r,t)  |=PI< „(P,K) 

iff,  and  all  f',  (r,  t')  |=  Q  received  Y  A  SV(F,  K,  X)) 
implies  ( r,t ')  |=  P  said  X. 

Next  we  give  truth  conditions  for  public  ciphering  keys. 


iff,  for  all  principals  P  and  all  times  t'  <  0,  (■ r,t ')  | £ 
P  said  X. 

Keys  We  will  give  truth  conditions  with  respect  to  four 
types  of  keys:  shared  keys,  public  ciphering  keys,  public 
signature  keys,  and  public  key-agreement  keys.  Truth 
conditions  for  a  shared  key  to  be  good  for  communica¬ 
tion  between  P  and  Q  is  a  variant  of  that  in  [AT91]: 


(r.l)-  PM/'./x) 

iff,  for  all  t ■,  ( r,t ')  |=  Q  sees  {AT}#  implies  (r,  t')  |= 
Q  sees  X  only  when  Q  =  P. 

Truth  conditions  for  key-agreement  keys  are  a  bit  more 
complicated: 

(M)  |=PK S(P,K) 


(r,t)  I  =P&Q 

iff,  for  all  t',  ( r,t ')  \=  R  said  {X®}k  implies  ei¬ 
ther  (r,  f'j  1=  R  received  {X^}#,  or  R  =  Q  and 
(r,  t')  |=  R  said  X  and  (r,  t')  |=  R  sees  I\.  If 
(r,t')  \=  R  said  {AT}#  (instead  of  the  stronger  (r,t')  \= 
R  said  {X®}k),  then  R  £  {P,  Q}  (instead  of  the 
stronger  R  =  P). 

‘PK(P,  A')’  means  both  that  K  is  a  public  key  associ¬ 
ated  with  principal  P  and  that  the  corresponding  pri¬ 
vate  key,  A'-1,  is  good.  (We  refer  here  to  all  three  types 
of  public  keys.)  The  truth  conditions  below  are  thus  for 
both  good  public  key  binding  and  private  key  secrecy. 
(We  do  not  mean  to  imply  each  principal  has  only  one 
of  any  type  of  public  key;  however,  our  notation  does 
assume  a  unique  private  key  associated  with  any  public 
key.)  Signing  and  ciphering  (encryption)  may  be  sep¬ 
arated  in  the  case  of  public  keys.  Thus,  the  two  sets 
of  truth  conditions  for  these  two  types  of  public  keys 
separate  out  those  features  from  the  shared  key  truth 
conditions.  The  first  truth  conditions  for  public  keys 
are  for  signature  keys.  Because  a  principal  may  come 
to  have  beliefs  based  on  a  signed  message  that  he  cannot 


iff  for  all 

(1)  for  somf 

(2)  for  all  R,Kr,  if  (r,t')  \ ^  R  4 — “A  P,  then,  for  all 


(1)  for  some  Q  and  Kq,  ( r,t ')  \=  P  S'}  Q;  and 


f^(k,k9 

F9(Kr,K ) 


Fo/K^K  ) 

U,KU)  { r,t ')  R  i — —7  U.  (Here  A0  refers  to  some 
agreement  function  such  as  that  in  Diffie-Hellman  key 
agreement  that  takes  the  key  referred  to  by  the  first 
argument  of  A0  and  the  private  cognate  of  the  second 
argument  as  its  arguments.  The  first  clause  guaran¬ 
tees  that  there  is  someone  with  whom  P  (using  K) 
can  form  a  good  key.  The  second  clause  guarantees 
that  anyone  with  whom  P  using  K  cannot  form  a  good 
key  cannot  form  a  good  key  with  anybody  (at  least 
not  using  that  public  key).  The  truth  conditions  for 
PKg(P,  K)  may  seem  overly  complex.  But,  we  cannot 
simply  require  that  a  session  key  P  produces  via  agree¬ 
ment  with  the  public  key  of  any  Q  is  good.  This  is 
because,  even  if  K  were  still  secret,  any  given  Q’s  pri¬ 
vate  key-agreement  key  may  have  been  compromised, 
compromising  F0(K,Kq).  On  the  other  hand,  we  can¬ 
not  simply  require  that  if  P  cannot  produce  a  good 
session  key  by  agreement  with  Q,  then  Q  has  a  bad 
private  key  agreement  key.  That  would  lead  us  into  a 
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circularity  in  determining  whether  truth  conditions  are 
satisfied.  The  above  characterization  achieves  what  is 
needed  while  avoiding  circularity. 

These  truth  conditions  are  admittedly  complex.  One 
might  try  to  decompose  the  logic  into  elements  with 
simpler  semantics.  However,  key  agreement  is  compli¬ 
cated  stuff.  What  our  current  logic  and  semantics  al¬ 
low  us  to  do  is  ignore  much  of  that  complexity  in  our 
syntactic  analysis  while  knowing  that  what  we  have  is 
nonetheless  sound.  Decomposition  would  just  lead  us 
into  algorithm  or  protocol  specific  details  that  should 
be  avoided  on  the  logical  level. 

Believing  Our  characterization  of  belief  is  based  on 
possible  worlds.  This  approach  to  characterizing  belief 
was  first  given  by  Hintikka  in  [Hin62],  Since  the  early 
eighties  it  has  been  applied  to  distributed  computing 
(one  example  of  such  application  being  that  in  [AT91]). 
The  idea  is  that  a  principal’s  beliefs  in  a  given  state  are 
determined  by  which  worlds  (global  states)  are  consid¬ 
ered  to  be  possibly  the  state  he  is  in.  From  his  perspec¬ 
tive  these  worlds  are  indiscernible  from  one  another.  For 
each  principal  P,;  we  can  thus  define  a  relation  that 
indicates  for  each  world  (r,  t)  which  worlds  are  possible 
in  this  manner  for  P;.  Not  surprisingly,  this  is  closely 
tied  to  the  messsages  that  are  comprehended  by  P,:  at 
each  world,  those  that  he  can  discriminate  to  be  what 
they  are. 

The  messages  that  a  principal  can  comprehend  are  those 
that  he  can  ultimately  tie  back  to  cleartext  he  has  seen 
and  those  that  he  can  relate  to  previously  seen  messages. 
The  local  state  for  a  principal  includes  a  set  of  seen 
messages;  however,  some  of  these  he  will  see  without 
comprehension.  For  example,  if  he  sees  a  hash  H( X) 
but  not  A",  then  he  does  not  comprehend  what  he’s 
seeing  to  be  H(X).  Similarly,  if  he  sees  {A"}jf,  but 
does  not  have  the  relevant  decryption  key,  then  he  does 
not  comprehend  what  he  is  seeing  even  if  A"  is  available 
plaintext.  Nonetheless,  we  account  for  the  possibility 
of,  e.g.,  a  principal  recognizing  that  a  received  message 
is  the  encryption  with  his  public  key  of  a  message  he 
had  previously  forwarded  without  comprehending. 

We  will  now  define  the  comprehension  of  principal  Pi 
in  a  run  r.  Note  that  while  principals  necessarily  de¬ 
compose  received  messages  top  down,  it  will  facilitate 
understanding  if  comprehension  of  messages  is  set  out  in 
a  bottom  up  manner.  Since  public  keys  are  assumed  to 
be  generally  available  and  since  principals  can  therefore 
verify  the  structure  of  messages  signed  by  others  even 
if  they  cannot  form  those  messages,  we  must  somehow 
account  for  this.  We  therefore  define  a  set  Af  to  be  A; 
together  with  the  formation  of  messages  that  P;  can  ver¬ 


ify  (such  as  signatures  by  other  principals).  Henceforth 
‘C7,:(a)’  refers  to  the  closure  of  the  set  a  under  the  rules 
in  Af .  Let  comp^r,  0)  consist  of  the  closure  under  Af , 
of  all  plaintext  that  P,:  has  at  the  start  of  the  protocol 
in  run  r.  We  assume  that  each  principal  P,:  receives  at 
most  one  message  at  a  time.  If  Pi  receives  no  messages 
at  time  t  in  r,  then  compj(i\t )  =  compi(r,t  —  1). 

Suppose  that  P,;  receives  M  at  (r,t).  Let  a  be  the  set 
of  all  hereditary  submessages  of  M  that  P(;  can  form  or 
verify  at  (r,t).  In  other  words  a  includes  the  (imme¬ 
diate)  submessages  of  M,  the  submessages  of  submes¬ 
sages,  and  so  on,  down  to  the  atomic  terms  contained 
in  M  that  are  contained  in  (  '/,(  I  M  }  U  compi(r,t  —  1)). 
Some  of  the  members  of  a  will  not  be  understood  by  P,; . 
We  will  now  proceed  through  an  iterative  construction 
that  will  replace  any  X  G  a  that  is  not  understood  by 
Pi  with  *x. 

Consider  all  the  X  G  a  that  are  atomic  (X  G  T).  If  A'  G 
comp^r ,  t  —  1),  then  let  A"  G  3o-  If  .A  comp^r,  t  —  1), 
then  let  *x  G  3o-  Also,  let  compi(r,t  —  1)  C  [30.  Let  op 
be  the  result  of  substituting  *x  for  A"  in  any  submessage 
of  a  member  of  a  if  *x  G  3o- 

Now,  consider  all  the  A"  G  ao  such  that  A"  is  the  result 
of  a  single  message  formation  rule  (as  given  in  §1.1)  and 
where  the  components  of  the  A"  are  members  of  do-  If  Pi 
can  form  or  verify  A"  with  Af  using  those  components, 
then  let  X  G  3i  ■  If  P  cannot  form  or  verify  A"  with 
Af  using  those  components,  then  let  *x  G  3i-  Also,  let 

30  C  3i-  Let  a\  be  the  result  of  substituting  *x  for  A" 
in  any  submessage  of  a  member  of  ao  if  *x  G  3i- 

Consider  all  the  A"  G  ai  such  that  A"  is  the  result  of 
a  single  message  formation  rule  (as  given  in  §1.1)  and 
where  the  components  of  the  A"  are  members  of  a\ .  If  P; 
can  form  or  verify  A"  with  Af  using  those  components, 
then  let  X  G  3-2-  If  P;:  cannot  form  or  verify  X  with 
Af  using  those  components,  then  let  *x  G  3-2  ■  Also,  let 

3 1  C  3-2-  Let  a-2  be  the  result  of  substituting  *x  for  A" 
in  any  submessage  of  a  member  of  a\  if  *x  G  /3o. 

Continuing  in  this  way,  we  will  eventually  arrive  at  a 
stage  n  for  which  the  only  A"  G  an_i  under  considera¬ 
tion  is  M  itself,  with  asterisks  substituted  for  appropri¬ 
ate  submessages.  Either  this  message  is  replaced  by  an 
asterisk  expression  at  stage  n  or  an  =  an-\.  In  either 
case,  this  is  the  terminating  stage  for  the  construction. 

We  can  then  define 

compi(r,t )  =  Cli,an 

Note  that  this  construction  determines  what  is  compre¬ 
hended  not  just  for  hereditary  submessages  of  a  message 
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M  just  received  but  also  previous  messages.  For  exam¬ 
ple,  suppose  P  received  { X }  /,■  at  (r,  t )  but  only  acquired 
K  at  some  point  ( r,t ')  where  t  <  t' .  { X }  k  would  be 
replaced  by  an  asterisk  expression  in  compP(r,t).  But, 
assuming  X  were  comprehended,  {X}k  would  appear 
in  compP(r,t'). 

We  can  use  this  construction  to  form  a  local  message 
Mf(r,t )  for  any  message  M  and  any  principal  Pj  and 
point  (r,  t).  Note  that  in  this  construction  each  submes¬ 
sage  of  M,  including  M  itself,  occurs  in  a.  And,  each 
a.j  contains  a  unique  element  corresponding  to  each  ele¬ 
ment  of  a.  Thus,  given  any  message  M  (received  or  not, 
seen  or  not)  we  can  construct  the  local  message  M,:(r,  t) 
for  Pi  at  (r,t)  by  following  the  above  construction  to 
form  the  relevant  substitutions  for  subexpressions  of  M 
until  we  construct  an.  Mj(r,t )  is  simply  the  element 
of  an  corresponding  to  M  in  a.  This  construction  is 
only  relevant  to  compj(r,  t)  when  M  is  a  message  newly 
received  or  generated  by  Pj  . 

We  now  expand  the  sets  of  seen,  received,  and  said 
messages  to  include  the  locally  understood  messages. 
Henceforth,  if  M  is  in  the  set  of  seen  (said,  received) 
messages  for  Pj  at  (r,t),  then  so  is  Mj(r,  t). 

For  any  given  run  r  and  principal  Pj  we  now  define  the 
locally  comprehended  run  r*  to  be  the  same  as  r,;  except 
that  wherever  any  message  M  occurs  in  r,(t),  for  any  t, 
Mj(r,t)  replaces  M. 

The  possibility  relation  for  a  principal  Pj,  in  state 
(r,  t)  is  defined  by 

(r,t) 

iff,  r\(t)  and  can  be  produced  one  from  the  other 

by  a  uniform  substitution  of  subscripts  on  asterisks.  For 
example,  r*(t)  might  be  the  same  as  r'*{t')  except  that 
*j  occurs  in  the  former  everywhere  that  *k  occurs  in  the 
latter,  and  vice  versa. 

We  can  now  give  truth  conditions  for  belief  formulae: 
(r,  t )  |=  Pj  believes  ip 

iff  ( r',t ')  1=  ipi(r',t')  for  all  (r1 .  /')  such  that  (r,t) 

( r',t '),  and  p  =  ipi(r',t')  for  some  such  ( r' ,t '). 

In  the  sequel  we  may  occasionally  write  ‘~p’  and 
‘compp  respectively  for  the  possibility  relation  and  com¬ 
prehension  of  principal  P.  Similarly  we  may  write 
(Mp(r,ty  to  represent  the  local  message  corresponding 
to  M  for  P  at  (r,  t). 

It  is  obvious  that  is  an  equivalence  relation.  By  a 
standard  result  of  modal  logic  this  means  that  all  of 
the  axioms  of  the  system  S5  are  valid  in  this  semantics 


[Che80,  Gol92],  Readers  familiar  with  the  use  of  logics 
of  knowledge  and  belief  will  recognize  this  as  the  most 
standard  logic  for  representing  knowledge.  And,  such 
readers  may  therefore  wonder  why  we  have  chosen  to 
take  this  as  a  logic  of  belief  and  why  we  have  included 
only  two  of  the  axioms  of  S5  in  our  axiom  set.  We  see 
no  need  to  include  the  other  axioms  for  the  applications 
we  envision.  It  is  a  simple  matter  to  add  them  should 
it  be  necessary.  The  subtleties  of  intuitions  regarding 
knowledge  and  belief  in  the  context  of  protocol  analysis 
have  been  discussed  elsewhere  [Syv91,  Syv92],  and  we 
will  not  delve  into  that  issue  here. 

This  completes  the  conditions  necessary  to  assign  truth 
values  to  all  formulae  in  the  logic. 

3.3  Soundness 

Theorem  3.1  SVO  is  sound:  if  ,  h  ip,  then  ,  |=  <p. 

In  words,  the  theorem  says  that,  for  a  set  of  formulae 
,  and  a  formula  ip,  if  ip  is  derivable  from  ,  ,  then  ip 
is  true  at  any  world  making  all  of  ,  true.  Thus,  in  a 
typical  protocol  analysis,  if  ,  refers  to  the  premise  set, 
as  described  in  §2,  then  the  effect  of  this  theorem  is 
that  if  all  our  assumptions  (,  )  are  true,  then  so  is  any 
protocol  goal  (tp)  proved  from  those  assumptions.  (The 
truth  of  the  assumptions  must  be  evaluated  by  means 
outside  the  logic,  e.g.,  by  evaluating  their  status  in  the 
model  of  computation  via  the  semantics.) 

Proof:  This  is  a  typical  tedious  soundness  proof 
[Che80]:  show  that  the  axioms  are  valid  (true  at  all 
worlds)  and  that  derivation  preserves  truth.  Proof  of 
validity  for  all  axioms  is  direct  by  inspection  of  the  truth 
conditions  given  in  §3.2.  We  fill  in  details  for  those  ax¬ 
ioms  where  the  result  is  neither  immediate  nor  standard. 
Note  that  all  the  axioms  for  which  the  validity  proof  is 
spelled  out  below  are  conditionals.  By  the  truth  condi¬ 
tions  for  ‘D’,  it  therefore  suffices  to  show  in  each  case 
that  the  consequent  of  the  conditional  is  true  at  any 
world  at  which  the  antecedent  is  true. 

Axl-Ax2.  As  noted  above  is  an  equivalence  relation, 
and  axioms  Axl  and  Ax2  are  thus  valid  by  a  standard 
result  of  modal  logic  [Che80]. 

Ax3.  (P  Q  A  R  received  {AT^}#)  D 
(Q  said  X  A  Q  sees  K) 

Suppose  that  (r,  t)  |=  (P  &  Q  A  R  received  {A"'5}^')- 
By  the  definition  of  a  run,  there  is  a  t'  <  t  such 
that  (r,t')  \=  R!  said  {A^}#  for  some  R' .  Then, 
by  the  truth  conditions  for  P  &  Q,  either  (r,t')  \= 
R1  received  {X®}k  or  (r,  t')  |=  R'  said  X ,  (r,  t')  \= 
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R'  sees  K,  and  R'  =  Q.  In  our  model  of  compu¬ 
tation  each  run  is  assumed  to  have  an  initial  state. 
Thus,  each  sent  message  must  be  sent  a  first  time 
(without  being  previously  received).  So,  there  exists  a 
t"  <  t  and  R"  such  that  (r,  t")  |=  R"  said  {Xq}k  and 
(r,t")  R"  received  {X}k-  So,  (r,  t")  \=  R"  saidX, 

( r,t )  1=  Q  sees  K ,  and  R"  =  Q. 

Ax4.  (PI< a(Q,I<)  A  R  received  X  A  S\'(.V,  /\',V|)  D 
Q  said  Y 

This  is  immediate  from  the  truth  conditions  for 
PK „{Q,K),  and  SV(X,K,Y). 

Ax5.  ((PKa(P,  tfp))  A  (PK^(Q,  Kq)))  D  P  Q 

Suppose  that  (r, t)  |=  (PKa(P, Kp)  A  PK^(Q,XS))  but 
,,  F0(Kp,Kq) 

that  (r,  t)  P  ^ Q.  Thus,  P  using  Rp  can¬ 
not  form  a  good  shared  key  with  Q  using  I<q.  By 
clause  (2)  of  the  truth  conditions  for  key  agreement, 
if  PK,*  (P,  Kp),  this  would  mean  that,  for  all  times  t'  at 
( r,t '),  Q  cannot  make  a  good  session  key  with  anyone 
using  Kq.  But,  this  contradicts  our  initial  assumption 
that  (r,t)  t=PKa(Q,if,)). 

Ax6.  <p  =  ip[F0(K,K')/F0(  K'  ,K)] 

This  is  immediate  from  the  definition  of  Fq. 

Ax7-Axl2.  The  validity  of  axioms  Ax7-Axl2  is  imme¬ 
diate  from  the  definitions  of  received  and  seen  messages. 

Axl3.  P  believes  (P  sees  F( X))  D  P  believes  P  sees  X 

(where  F  is  any  effectively  one-one  function  such  that 
either  F  or  F  is  computable  in  practice  by  P).  Sup¬ 
pose  that  (r,t)  |=  P  believes  (P  sees  F( X)).  Let 
( r',t ')  be  such  that  (r,t)  ~p  (r',t').  Then,  (r1  ,t')  \= 
(P  sees  F(X))p(r' ,t')  by  the  truth  conditions  for  be¬ 
lief.  Since  principal  names  are  assumed  to  be  generally 
known,  and  since,  by  definition,  ‘F’  denotes  a  function 
in  A+,  (P  sees  F(X))p(r',  t')  =  (P  sees  F(Xp(r' ,  t1))). 
Thus,  ( r',t ')  \=  ( P  sees  F(Xp(r',  t1))).  So,  by  definition 
of  the  seen  messages  and  since  F  £  A+,  this  is  true  iff 
(r’,t')  |=  (P  sees  Xp(r',t')). 

Again,  by  the  truth  conditions  for  belief,  for  some 
( r',t ')  such  that  (r,t)  (: r' ,t '),  P  sees  F(X)  is 

(P  sees  F(X))p(r' ,t').  And,  by  the  above  argument, 
(P  sees  F(X))p(r',t')  =  (P  sees  F(Xp(r' ,t'))).  So, 
X  =  Xp(r',t '),  and  P  sees  X  =  P  sees  Xp(r',t').  This 


completes  the  truth  conditions  for  belief,  so  (r,  t)  \= 
P  believes  (P  sees  A^). 

Axl4-Ax20.  The  validity  of  these  axioms  are  all  im¬ 
mediate  from  the  relevant  truth  conditions. 

Note  that  axiom  Axl8  says  that  a  function  of  fresh  ar¬ 
guments  is  itself  fresh,  provided  that  the  function  gen¬ 
uinely  depends  on  the  fresh  argument.  Without  this 
provision  the  axiom  is  not  valid.  To  see  this  note  that 
-Y  =  X  +  0  •  Y.  So,  if  P  said  X  before  the  current 
epoch,  without  the  provision  the  freshness  of  1'  allows 
us  to  conclude  that  P  says  X.  (We  refer  here  to  the  val¬ 
ues  of  X  and  X  +  0  •  1'.  Obviously  the  character  string 
‘X’  does  not  equal  the  character  string  LA +  0-1'’,  which 
does  depend  on  ‘Y’  to  be  produced.) 

All  that  remains  to  be  shown  for  soundness  is  that  all 
the  ways  that  ip  can  be  derived  from  ,  preserve  truth. 
There  are  three  cases.  (1)  If  /  is  a  theorem  or  member 
of  ,  ,  then  ,  1=  ip  trivially.  (2)  If  tp  is  obtained  by  modus 
ponens,  then  it  occurs  in  a  derivation  from  ,  in  which 
some  ip  and  ij)  D  p  occur  earlier.  Then  by  induction  on 
the  structure  of  the  derivation  and  definition  of  truth 
conditions,  ,  |=  p.  (3)  Also  by  a  trivial  induction,  if 
p  is  obtained  by  necessitation,  then  p  is  P  believes  p 
for  some  P  and  some  p  such  that  b  p.  By  inductive 
hypothesis,  |=  ijj.  So,  by  the  truth  conditions  for  belief, 
|=  P  believes  ip.  Thus,  a  fortiori,  ,  |=  P  believes  ip.  □ 

4  More  Sample  Applications 

In  this  section  we  look  at  two  key  agreement  protocols. 
These  protocols  are  often  subtler  in  many  ways  than 
standard  key  distribution  protocols.  Thus,  while  these 
analyses  are  commensurately  subtler  than  those  of,  e.g., 
[BAN89],  they  also  illustrate  the  relative  strength  of 
SVO.  Some  expressions  from  VO  are  useful  in  these 
analyses.  Whenever  notation  from  VO  is  encountered 
it  should  be  read  as  a  syntactic  abbreviation  as  defined 
from  SVO  primitives  in  appendix  B.l. 

Before  beginning  analysis  of  the  protocols  themselves 
we  set  out  some  generic  formal  goals  that  any  authen¬ 
tication  protocol  might  be  intended  to  meet.  Similarly, 
we  set  out  some  generic  assumptions.  In  our  analysis, 
we  prove  that  each  of  the  protocols  meets  some  of  the 
generic  goals  presented. 

4.1  Generic  Formal  Goals  and  Assump¬ 
tions 

We  list  first  some  generic  goals  that  protocols  to  be 
discussed  below  will  be  shown  to  meet.  This  is  not 
meant  to  be  taken  as  a  definitive  list  of  the  goals  that  a 
key  agreement  or  key  distribution  protocol  should  meet. 

Gl.  Far-end  operative:  A  believes  B  says  X 
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A  Computations 

messages  sent 

B  Computations 

generate  x,  Ra  =  ax 

generate  y,  Rb  =  av 

Cert0,  =  ( Ra,IDa,st{RaJDa }) 

Certf,  =  (Rb,IDb,st{Rb,IDb}) 

generate  x,  Ra  =  ax 

^  Certa ,  Ra 

generate  y,  Rb  =  ay 

verify  Cert6;  K  =  {Rh)x  ■  (Rb)x 

Cert b.Rb  < — 

verify  Certa;  K  =  (Ra)v  ■  (Ra)y 

Figure  1:  The  MTI  Protocol  A(0) 


G2.  Entity  authentication: 

.4  believes  B  says  /'(A’.  .V., ) 

G3.  Secure  key  establishment:  9 

.4  believes  A  B 

G4.  Key  confirmation: 

A  believes  A  B 

G5.  Key  freshness:  .4  believes  fresh(K) 

G6.  Mutual  understanding  of  shared  key: 

A  believes  B  says  B  A-V  A 

The  intuitive  meaning  and  reasons  for  each  of  these 
should  be  clear  for  the  most  part.  G1  says  that  A  be¬ 
lieves  B  has  been  online  during  the  current  epoch.  In 
G2,  Na  is  A’s  nonce,  and  F  is  assumed  to  be  an  effec¬ 
tively  one-one  function  such  that  F  is  computable  in 
practice  by  B  and  F  or  F  is  computable  in  practice 
by  .4.  The  idea  is  that  A  is  assured  that  B  has  re¬ 
cently  offered  the  response  ‘X’  to  A’s  challenge  of  Na. 
(No  other  understanding  of  ‘entity  authentication’  is  in¬ 
tended.)  Note  that  it  is  still  possible  for  G3  to  hold  if  B 
has  not  participated  in  the  protocol  and  even  if  B  does 
not  possess  session  key  K. 

We  now  collect  some  generic  formal  assumptions,  some 
of  which  will  be  made  in  the  analysis  of  the  protocols 
considered  below.  They  are  stated  for  a  principal  A 
and  a  trusted  authority  T.  In  a  protocol  involving  two 
principals  A  and  B,  they  may  be  assumed  for  either  or 
both  principals. 

Al.  T’s  signature  key:  .4  believes  PKCT(T, Kt) 

A2.  T’s  signature  key  jurisdiction: 

.4  believes  T  controls  PK a(B,Kb) 

A3.  T’s  agreement  key  jurisdiction: 

.4  believes  T  controls  PK g(B,Kb) 

9As  mentioned  above,  notation  from  VO  is  defined  from  SVO 
primitives  in  appendix  B.l. 


A4.  Own  agreement  key  quality: 

.4  believes  PK s(A,Ka) 

A5.  Nonce  freshness:  .4  believes  fresh(Na ) 

The  meaning  of  all  these  assumptions  should  be  self  ev¬ 
ident:  principals  believe  they  have  good  signature  keys 
for  trusted  authorities,  that  trusted  authorities  have  ju¬ 
risdiction  over  statements  concerning  the  public  keys 
of  other  principals,  that  their  own  agreement  keys  are 
good,  and  that  nonces  they  generate  themselves  are 
fresh.  As  noted  in  §2.2.1,  jurisdiction  assumptions  are 
rather  strong  and  should  be  made  with  caution.  When 
issuing  a  certificate,  it  is  generally  important  that  the 
relevant  authority  confirm  not  only  the  authenticity  of 
the  request  but  also  that  the  requesting  principal  pos¬ 
sesses  the  corresponding  private  key.  If  this  were  not 
true  for  signature  or  key  agreement  certificates,  then 
the  relevant  juridiction  assumption  would  not  be  true 
either.  The  significance  of  this  will  become  apparent 
presently.  This  is  not  meant  to  be  a  comprehensive  list 
of  assumptions  for  any  type  of  protocol. 

4.2  The  MTI  Protocol  A(0) 

The  key  agreement  protocol  A(0)  of  Matsumoto, 
Takashima,  and  Imai  [MTI86]  results  in  the  establish¬ 
ment  of  a  shared  secret  key;  two  DifBe-Hellman  ex¬ 
ponentiations  are  used,  combining  fixed  and  (per-run) 
variant  parameters,  allowing  the  creation  of  a  unique 
key  for  each  protocol  run  while  reusing  certified  pub¬ 
lic  key- agreement  keys.  A  publicly  known  appropriate 
prime  p  and  primitive  element  a  in  GF(p )  are  fixed. 
The  parties  A  and  B  and  the  trusted  authority  T  use 
a  common  signature  scheme  in  association  with  certifi¬ 
cates;  s  c/  { • }  denotes  the  signature  of  party  U.  In  a 
preliminary,  one-time  process,  A  selects  a  secret  ran¬ 
dom  number  x,  computes  Ra  =  ax ,  and  gives  this  to 
T ;  T  verifies  .4’s  identity  and  returns  a  certificate  Certa 
consisting  of  Ra,  a  distinguishing  identifier  IDa  for  .4, 
and  T’s  signature  over  their  concatenation.  Ra  serves 
as  A’s  fixed  public  key-agreement  key,  which  can  now  be 
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made  available  to  others  by  certificate.  Similarly,  B  ob¬ 
tains  a  secret  number  y,  computes  Rb  =  a'J ,  and  obtains 
Cert 5.  The  protocol  between  .4  and  B  then  consists  of  a 
single  message  in  each  direction,  as  outlined  below  and 
as  summarized  in  Figure  1: 

1.  .4  generates  a  random  positive  integer  x ,  computes 
Ra  =  ax  and  sends  Ra  to  B  along  with  Certa  . 

2.  B  generates  a  random  positive  integer  y,  computes 
Rb  =  ay  and  sends  Rb  to  .4  along  with  Cert;,. 

3.  .4  and  B  establish  the  authenticity  of  each  other’s 
certificates  by  verifying  the  signature  of  T  thereon 
using  T’s  known  public  key,  and  establish  a  com¬ 
mon  key  K  by  respectively  computing  K  =  (RuY  ■ 
(. Rbf  and  I<  =  (Ra)v  ■  {Raf, 

This  protocol  is  also  discussed  in  [Yac90],  where  calcu¬ 
lations  are  with  respect  to  an  RSA  modulus  n  rather 
than  modulo  p  as  above.  Another  very  similar  protocol 
was  given  in  [Gos90] . 

4.2.1  Analysis  of  A(0)  protocol 

We  first  specify  the  protocol  in  our  notation: 

A — ■>  B  :  (A,Ra,[A,Ra]K-i),Ra 
B — y  A  :  (B,Rb,[B,Rb\K-i),Rb 

We  next  turn  to  the  formation  of  the  set  of  premises 
to  be  used  in  formal  derivations  of  protocol  goals.  The 
generic  assumptions  we  make  correspond  to  Al,  A3, 
A4,  and  A5  above.  Specifically  we  assume  that  each 
principal  .4  and  B  believes  that  Kt  is  the  signature  ver¬ 
ification  key  for  the  trusted  authority,  T  (Al),  that  each 
principal  believes  his  own  agreement  key  is  good  (A4), 
and  that  each  principal  believes  that  the  key  parame¬ 
ters  he  generates  for  the  protocol  are  fresh  (A5).  We 
assume  that  principals  each  accept  the  jurisdiction  of  T 
over  the  agreement  key  of  the  other;  however,  A3  is  not 
adequate  to  express  this  assumption  for  two  reasons. 
First,  by  virtue  of  the  semantics  for  controls  ,  it  grants 
jurisdiction  only  to  statements  made  by  T  during  the 
current  epoch.  This  protocol  relies  on  statements  made 
by  T  with  no  freshness  indicators  included.  Second, 
the  session  key  is  formed  by  two  public  pieces  of  data 
from  principals,  but  the  statement  from  the  trusted  au¬ 
thority  only  concerns  one  of  these.  Fortunately,  for  the 
purposes  of  this  protocol  analysis  we  can  replace  A3 
with  the  more  specific  assumptions  that 

A  believes  ((T  said  PK$(B ,  Rt)  A 

.4  received  ((B,Rb,[(B,Rb)\K-i),Rb))  3 
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PKs(B,(Rb,Rb ))) 

and  similarly  for  B.  We  include  all  these  initial  as¬ 
sumptions  in  the  premise  set.  Other  initial  assump¬ 
tions  reflected  in  the  premise  set  are  that  each  principal 
comprehends  his  own  agreement  key  components  and 
that  each  principal  correctly  assesses  the  result  of  the 
verifying  T’s  signature  on  the  other’s  certificate.  The 
premise  set  also  reflects  the  messages  that  each  princi¬ 
pal  receives.  Also,  recall  that  any  premise  set  reflects 
A’s  comprehension  of  messages  received  by  including 
.4  believes  A  received  X  for  each  message  X  that  A  is 
assumed  to  comprehend  (and  similarly  for  B).  Finally, 
the  set  includes  premises  reflecting  the  receiver’s  inter¬ 
pretation  of  message  content  for  each  received  message. 
We  now  enumerate  the  premise  set. 

PI  A  believes  PKa(T,  Kt) 

B  believes  PKa(T,  Kt) 

P2  .4  believes  A  sees  (Ra,Ra,x,x) 

B  believes  B  sees  ( Rb,Rb,y,y ) 

P3  .4  believes  SV([(B,Rb)]K-i,Kt,(B,Rb)) 

B  believes  SV([(A,  Ra)]K- 1 ,  Ku  (.4, 

P4  A  believes  ((T  said  PK$(B  ,Rb)  A 

A  received  ((B,  Rb,  [(B,  Rb)]K-i ),  *&))  3 

'  (PKs(B,(Rb,*bm 

B  believes  ((T  said  PK$(A,  Ra)  A 
B  received  ((A,  Ra,[(A,  Ra)]K- 0,*a))  3 

‘  (PKs(A,(Ra,*a)))) 

P5  A  believes  PK$(A,{Rgj,Raj) 

B  believes  PKs(B,(Rb,  Rb)) 

P6  .4  believes  fresh(Ra ) 

B  believes  fresh(Rb) 

P7  A  received  ((B,  Rb,  [B,  Rb]K-i ),  Rb) 

B  received  {{A,Ra,[A,Ra\K-i),Ra) 

P8  .4  believes  A  received  ((B,  Rb,[B,  Rb]K-i),*b) 

B  believes  B  received  ((A,  Ra,[A,  Ra]K- 1),  *a) 

P9  A  believes  (T  said  (B,Rb)  D  T  said  PK${B,  Rb)) 
B  believes  (T  said  ( A,Ra )  D  T  said  PKg(A,  Ra)) 

We  now  turn  to  formal  derivations.  In  the  interest  of 
brevity,  we  will  compress  many  of  the  steps  together, 
and  we  will  not  cite  the  use  of  propositional  reasoning 


‘A  Unified  Cryptographic  Protocol  Logic”  by  P.  Sy verson  and  P.  van  Oorschot.  NRL  CHACS  Report  5540-227,  1996. 


in  giving  the  justifications  for  derivation  lines.  Since 
there  is  nothing  in  the  protocol  to  authenticate  either 
principal  to  the  other  in  any  way,  there  is  no  hope  of 
deriving  the  generic  goals  Gl,  G2,  G4,  or  G6.  We  give 
formal  derivations  of  goals  G3  and  G5  beginning  with 
G3  (.4  believes  A  A->  B). 

1.  A  believes  A  received  ([PKs(B,  Rb)]K- 1) 

by  P8,  Axl,  Ax7,  Nec,  MP 

2.  A  believes  T  said  (B,Rb) 

by  1,  PI,  P3,  Axl,  Ax4,  Nec,  MP 

3.  A  believes  T  said  PKs(B ,  Rb) 

by  2,  P9,  Axl,  MP 

4.  A  believes  PKg(B,(Rb,*b )) 

by  2,  P4,  Axl,  MP 

5.  A  believes  PK$(A,  (Ra,  Ra)) 

by  P5 

6.  A  believes  (A  B) 

by  4,  5,  Axl,  Ax5,  Nec,  MP, 

where  K  =  F0((Ra,Ra),  (Rb,  Rb)) 

7.  A  believes  A  sees  ( Rb,*b ) 

by  P8,  Axl,  AxlO,  Axil,  Axl2,  Nec,  MP 

8.  A  believes  A  sees  K 

by  7,  P2,  Axil,  Axl2,  Axl,  Nec,  MP  _ 

where  I\  =  F0((Ra,  Ra),  (Rb,  Rb)) 

9.  A  believes  (A  AA  B) 

by  6,  8,  Axl,  MP,  and  def.  of  A  AA  B. 

The  derivation  of  G3  for  B  is  virtually  identical. 

As  Burrows  et  al.  found  in  their  analyses  in  [BAN89], 
it  is  often  instructive  to  look  at  the  assumptions  neces¬ 
sary  to  derive  a  goal.  We  have  noted  before  that  juris¬ 
diction  assumptions  are  powerful  and  should  be  made 
judiciously.  We  thus  delve  more  deeply  into  premise 
P4.  First  note  that  the  quality  and  binding  of  the  en¬ 
tire  agreement  key  is  assumed  based  only  on  the  trusted 
authority’s  assertion  concerning  the  long  term  part  (and 
the  comprehensibility  of  the  fresh  part).  This  is  an  un¬ 
avoidable  assumption  since  the  fresh  part  of  each  public 
agreement  key  is  sent  only  in  the  clear.  If  this  cleartext 
were  attacked  it  could  result  in  principals  believing  that 
they  share  a  good  session  key.  This  attack  in  no  way 
invalidates  the  above  result  since  A  does  have  K ,  and 
K  is  a  session  key  good  for  at  most  A  and  B  (though 
in  actuality  good  for  nobody,  if  the  attacker  tampers  as 
indicated  above). 

Another  assumption  implicit  in  P4  is,  however,  more  se¬ 
rious.  Specifically,  P4  (and  more  generally  A3)  assumes 
that  the  trusted  authority  has  jurisdiction  over  the  bind¬ 
ing  and  quality  of  a  principal’s  agreement  key.  This  is 


the  danger  we  alluded  to  above  if  the  trusted  authority 
issues  a  certificate  without  checking  both  that  the  cer¬ 
tificate  matches  an  authenticated  request  and  that  the 
requesting  principal  has  the  corresponding  private  key. 
In  this  protocol,  should  T  issue  certificates  without  this 
confirmation,  it  would  be  possible  for  a  principal  E  to 
trick  another  principal  B  into  thinking  he  has  formed 
a  session  key  with  E  when  B  has  in  fact  formed  a  ses¬ 
sion  key  with  A.  In  this  case  the  above  result  would  be 
spurious.  Here  is  an  account  of  the  attack.  (A  slightly 
more  complicated  attack  having  similar  results  is  given 
in  [MQV95].) 

Attack  on  the  A(0)  Protocol 

1.  E  obtains  Ra,  A’s  public  long  term  agreement 
key,  perhaps  by  legitimate  sessions  of  this  proto¬ 
col.  E  requests  and  receives  a  certificate,  Certe  = 
(Ra,  IDe,  st{Ra,  IDe}).  Note  that  E  does  not  ob¬ 
tain  x. 

2.  A  initiates  a  legitimate  session  with  B.  That  is, 
A  generates  a  random  positive  integer  x,  computes 
Ra  =  ax  and  sends  Ra  to  B  along  with  certificate 
Cert0, . 

3.  E  intercepts  A’s  message,  substitutes  Certe  for 
Cert0  and  forwards  (7?a,Certe)  to  B. 

4.  B  generates  a  random  positive  integer  y,  computes 
Rb  =  ay  and  sends  Rb  to  E  along  with  certificate 
Certf,. 

5.  E  forwards  (Rb,Certb)  to  A. 

6.  A  and  B  establish  the  authenticity  of  received  cer¬ 
tificates  by  verifying  the  signature  of  T  thereon  us¬ 
ing  T’s  known  public  key,  and  establish  a  common 
key  K  by  respectively  computing  K  =  (Rb)a'  ■  (Rb)x 
and  K  =  (Ra)v  •  ( Ra)v -  While  A  correctly  believes 
that  K  is  a  session  key  for  communication  with  B, 
B  erroneously  believes  that  this  key  is  for  commu¬ 
nication  with  E. 

Next  we  give  a  formal  derivation  of  goal  G5, 
A  believes  fresh(K). 

1.  A  believes  fresh(Ra) 

by  P6 

2.  A  believes  fresh(K) 

by  1,  Axl8,  Axl,  Nec,  MP,  and  def.  of  K 

Note  that  while  we  are  able  to  formally  derive  key  fresh¬ 
ness,  we  must  implicitly  assume  that  B  is  competent  in 
his  choice  of  short  and  long  term  agreement  keys.  For 
example,  if  he  were  to  choose  y  =  0  (mod  p  —  1),  then 
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A  Computations 


messages  sent 


B  Computations 


Cert„  =  (KaJDa,st{Ka,IDa}) 


generate  x,  Ra  =  ax 
I\  =  ( Rb)x\  verify  Cert;, ,  Tokens 
Token,-,/,  —  (.s„  {  Ra  -  Rb \ ) 


— >  Ra 

Rb ,  Certfc,  Tokens,  <- 
— >  Certa, Tokens 


Cert;,  =  (Kb,IDb,st{Kb,IDb}) 
generate  y,  Rb  =  av;  K  =  (Ra)v 
Tokens  =  EK{sb{Rb,Ra}) 
verify  Cert„ ,  Token,,;, 


Figure  2:  The  STS  Protocol 


the  K  would  not  depend  on  Ra,  and  the  derivation  of 
freshness  would  be  spurious. 

4.3  The  STS  Protocol 

We  next  review  the  authenticated  key  agreement  pro¬ 
tocol  of  Diffie,  van  Oorschot  and  Wiener  called  the 
“Station-to-Station”  (STS)  protocol  [DvOW92].  A  pub¬ 
licly  known  appropriate  prime  p  and  primitive  element 
a  in  GF(p )  are  fixed  for  use  in  Diffie-Hellman  key  ex¬ 
change.  Parties  .4  and  B  use  a  common  signature 
scheme:  «[/{•}  indicates  the  signature  on  the  specified 
argument  using  the  private  signature  key  of  party  U. 
Ek(»)  indicates  the  symmetric  encryption  of  the  spec¬ 
ified  argument  using  algorithm  E  under  key  K.  Public 
key  certificates  are  used  to  make  the  public  signature 
keys  of  .4  and  B  available  to  each  other.  In  a  one-time 
process  prior  to  the  exchange  between  A  and  B,  each 
party  must  present  to  T  his  true  identity  and  public  key 
(e.g.,  //)„ .  Ka),  have  T  verify  his  true  identity  by  some 
(typically  non-cryptographic)  means,  and  then  obtain 
from  T  his  own  certificate.  The  protocol  is  as  follows. 

1.  .4  generates  a  random  positive  integer  x,  computes 
Ra  =  ax  and  sends  Ra  to  a  second  party. 

2.  Upon  receiving  Ra,  B  generates  a  random  positive 
integer  y,  computes  Rb  =  ay  and  K  =  ( Ra)v . 

3.  B  computes  the  authentication  signature 
sb{Rb,Ra}  and  sends  to  .4  the  encrypted  signature 
Token;,,,  =  Ek {sb{Rb,  Ra})  along  with  Rb  and  his 
certificate  Cert;,.  Here  V  denotes  concatenation. 

4.  .4  receives  these  values  and  from  Rb  computes  K  = 

(RbY- 

5.  .4  verifies  the  validity  of  B’ s  certificate  by  verify¬ 
ing  the  signature  thereon  using  the  public  signature 
verification  key  of  the  trusted  authority.  If  the  cer¬ 
tificate  is  valid,  .4  extracts  B’s  public  signature  key, 
Kb  from  Cert;,. 

6.  .4  verifies  the  authentication  signature  of  B  by  de¬ 
crypting  Tokens,  and  using  Kb  to  check  that  the 


signature  on  the  decrypted  token  is  valid  for  the 
known  ordered  pair  Rb,Ra. 

7.  A  computes  sa{Ra,Rb}  and  sends  to  B  her  certifi¬ 
cate  Certa  and  Token,,;,  =  EK(sa{Ra,  Rb})- 

8.  Analogously,  B  checks  Certa-  If  valid,  B  extracts 
.4’s  public  signature  key  Ka  and  proceeds. 

9.  Analogously,  B  verifies  the  authentication  signa¬ 
ture  of  .4  by  decrypting  Token,,/, ,  and  checking  the 
signature  on  it  using  Ka  and  knowledge  of  the  ex¬ 
pected  pair  of  data  Ra,Rb. 

The  protocol  is  successful  from  each  party’s  point  of 
view  if  signature  verification  succeeds  on  both  the  re¬ 
ceived  certificate  and  authentication  signature.  In  this 
case,  the  protocol  provides  assurance  that  a  shared  se¬ 
cret  has  been  jointly  established  with  the  party  identi¬ 
fied  in  the  received  certificate. 

Figure  2  provides  a  summary  of  the  messages  ex¬ 
changed,  and  actions  taken,  by  each  of  the  parties  in 
this  protocol. 

4.3.1  Analysis  of  STS  protocol 

The  specification  of  the  STS  protocol  in  our  notation  is 
as  follows: 

A  — »  B  :  Ra 

B  — »  A  :  Rb,  (B,  Kb,  [B,  Kb]K-i),  {[i?6,  Ra]K-' } k 
A  — >  B  :  Ra,{A,Ka,[A,Ka\K-i),{[Ra>Rb\K-'}K 

We  include  in  the  premise  set  generic  assumptions  corre¬ 
sponding  to  A1  (trusting  the  authority’s  signature  key), 
A2  (trusting  the  authority’s  jurisdiction  over  signature 
keys),  A4  (trusting  the  quality  one’s  own  agreement 
key),  and  A5  (trusting  the  freshness  of  one’s  own  agree¬ 
ment  key).  As  with  the  MTI  protocol  A(0),  in  the  STS 
protocol  it  is  assumed  that  the  trusted  authority  has 
timeless  jurisdiction  over  signatures;  thus,  we  cannot 
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use  A2  as  stated  above.  The  appropriate  variant  is 
trivial  to  determine  and  appears  as  premise  P3  below. 

We  saw  in  analyzing  the  A(0)  protocol  the  subtlety  of 
jurisdiction  assumptions.  For  reasons  similar  to  the  ones 
discussed  in  connection  with  the  attack  on  A(0)  above 
we  cannot  allow  principals  to  have  jurisdiction  over  the 
quality  and  binding  of  their  own  agreement  keys.  (That 
is,  we  cannot  unless  other  protections  are  in  place,  e.g., 
in  the  case  of  STS  a  signature  or  keyed  hash.)  However, 
some  related  assumption  is  necessary  if  we  are  to  derive 
any  results  about  the  quality  of  the  session  key  I\.  Con¬ 
sequently,  we  record  as  one  of  our  formal  assumptions 

A  believes  ((A  received  {[*&,  Ra]K-i  }k  A 

PKa(B,Kb j  A  PKs(A,Ra ))  D 
PKs(B,H )) 

the  legitimacy  of  which  we  now  proceed  to  justify. 

First,  we  may  assume  that  honest  principals  are  com¬ 
petent  enough  to  not  encrypt  or  sign  messages  blindly, 
i.e. ,  without  any  understanding  of  the  message  content. 
So,  if  A  did  not  recognize  Ra  within  [*&, jRa]x-  1 ,  then 
A  would  not  encrypt  [*(,,  Ra\K-i  with  K.  If  A  did  rec¬ 
ognize  Ra  in  [*b,Ra]K- A  then  she  may  be  assumed  to 
be  competent  to  recognize  it  as  only  to  be  used  within 
this  protocol  and  again  would  not  encrypt  this  with  K. 
Thus,  if  A  believes  (A  received  {[*{,,  Ra]^-1  }a )  then  A 
believes  that  someone  other  than  herself  said  it.  Given 
that  A  believes  PKg(A,Ra),  A  can  also  confirm  that 
K  =  *bx ,  hence  that  *b  is  a  public  agreement  key. 

We  will  independently,  formally  derive  below  that  A 
believes  B’s  signature  key  to  be  good  for  B.  Thus, 
A  can  infer  that  B  signed  Ra  together  with  either  his 
own  agreement  key  or  someone  else’s.  If  *b  is  his  own, 
then  PKb(B,  *{,).  Assume  that  *b  is  not  B’s  agreement 
key.  Thus,  he  can  only  have  signed  blindly,  i.e.,  with¬ 
out  knowing  the  significance  of  Ra  or  *b.  But,  this  vi¬ 
olates  competency  if  B  is  honest.  If  B  is  dishonest, 
then  either  he  has  broken  the  private  agreement  key 
corresponding  to  *b  or  the  principal  corresponding  to 
*b  has  been  tricked  into  encrypting  [*&,  Ra]K- 1  with  K. 
The  first  possibility  is  implicitly  assumed  not  to  have 
occurred.  (Similarly,  it  is  assumed  that  no  one  other 
than  B  has  B’s  private  signature  key.)  And,  the  sec¬ 
ond  possibility  is  ruled  out  by  an  argument  similar  to 
that  in  the  last  paragraph.  Hence  A  is  justified  in  infer¬ 
ring  that  B  produced  the  received  message  and  there¬ 
fore  that  PKg(B,*b).  A  similar  argument  justifies  the 
corresponding  assumption  for  B. 

We  also  assume  that  honest  principals  are  competent 
to  use  the  public  keys  they  generate  for  a  protocol  run 


only  within  that  run  and  to  properly  execute  the  proto¬ 
col.  In  practice  this  allows  us  to  assume  a  principal  can 
recognize  the  message  (s)  sent  by  the  other  principal  in 
the  protocol  as  not  having  originated  with  herself.  This 
is  reflected  in  the  premise  set  as  P10. 

Finally,  the  premise  set  includes  the  usual  assumptions 
about  what  principals  received,  what  they  comprehend, 
and  how  they  interpret  received  messsages. 

We  now  enumerate  the  premise  set. 

PI  A  believes  PK„(T.  Kt) 

B  believes  PKa(T,  Kt) 

P2  A  believes  SV([B,Kb\K-i,Kt,(B,Kb)) 

A  believes  SV([*b,  Ra]K-i ,  Kb,  (*b,  Ra)) 

B  believes  SV([A,  Ka]KU%Ku  (A,  Ka)) 

B  believes  SV([*a,  Rb]K-i,  Ka,  (*a,  Rb)) 

P3  A  believes  ((T  said  PKa(B,  Kb))  D  PKa(B ,  Kb)) 

B  believes  ((T  said  PKa{A,Ka ))  D  PKa{A,Ka)) 

P4  A  believes  PKg(A,  Ra) 

B  believes  P Kg (B.Rb) 

P5  A  believes  fresh(Ra) 

B  believes  fresh(Rb ) 

P6  A  believes  A  sees  (Ra,x) 

B  believes  B  sees  ( Rb,y ) 

P7  A  received 

Rb ,  ( B,Kb ,  [B,Kb]K-i),{[Rb,Ra]K-i}K 

B  received 

Ra,  (A,Ka,  [A,Ka\K-i),{[Ra,Rb\K-i}K 

P8  A  believes  A  received 

*b,  ( B,Kb ,  [B,Kb\K- 1),  {[*b,Ra]K~i}K 
B  believes  B  received 

*ffl >  ( A,  Ka,  [A,  Aa]jf-i),  {[*a,  Rb] K~l  }k 

P9  A  believes  ((A  received  {[*;,,  Ra]K-i  }k  A 

PKa(B,Kb )  A  PKs(A,Ra ))  D 
PKs(B,*b )) 

B  believes  ((B  received 

PI<a(A,Ka)  A  PKs(B,Rb ))  D 
PKs(A,*a )) 

P10  A  believes  — ■( A  said  {[*{,,  Ra]^-1  }if) 

B  believes  -> (B  said  {[*«, Rb]^-1  }a') 

Pll 

A  believes  (T  said  ( B,Kb )  D  T  said  PKa(B,  Kb)) 
B  believes  (T  said  ( A,Ka )  D  T  said  PKa(A,Ka )) 
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We  now  derive  formal  goals  G1-G5  for  the  STS  proto¬ 
col. 

1.  A  believes  A  received  [(B,  Kb)]K-i 

by  P8,  Axl,  Ax7,  Nec,  MP 

2.  A  believes  T  said  PKa(B ,Kb) 

by  1,  PI,  P2,  Pll,  Axl,  Ax4,  Nec,  MP 

3.  A  believes  PKa{B  ,Kb) 

by  2,  P3,  Axl,  MP 

4.  A  believes  A  received  {[*&,  Ra]K-i  }k 

by  P8,  Axl,  Ax7,  Nec,  MP 

5.  A  believes  PKg(B,*b) 

by  3,  4,  P4,  P9,  Axl,  MP 

6.  A  believes  A  B 

by  5,  P4,  Axl,  Ax5,  Nec,  MP 

(where  K  =  F0{Ra,*b)) 

7.  A  believes  A  sees  K 

by  P8,  P6,  Axl,  AxlO,  Axil,  Axl2,  Nec,  MP 
(where  K  =  F0(Ra,*b)) 

8.  A  believes  A  A— »  B 

by  6,  7,  Axl,  MP,  and  def.  of  A  AV  B 

9.  A  believes  fresh(K) 

by  P5,  Axl8,  MP  (where  I\  =  F0(Ra ,  *&)) 

10.  A  believes  *  confirm A(K) 

by  4,  9,  P10,  Axl,  MP, 

and  def.  of  *confirmA(K) 

11.  A  believes  A  AA  B 

by  8,  10,  Axl,  MP,  and  def.  of  A  AA  B 

12.  A  believes  A  received  [*b,Ra]K- 1 

by  4,  7,  Axl,  Ax8,  Nec,  MP 

13.  A  believes  B  said  (*b,Ra) 

by  3,  12,  P2,  Axl,  Ax4,  Nec,  MP 

14.  A  believes  B  says  (*b,Ra) 

by  13,  P5,  Axl,  Axl9,  Nec,  MP 

Goal  G1  is  a  special  case  of  G2,  which  is  derived  in  line 
14.  G3  is  derived  in  line  8,  G4  in  line  11,  and  G5  in 
line  9.  A  similar  proof  shows  that  all  of  these  goals  are 
formally  derivable  for  B  from  the  same  premise  set. 

There  is  no  possibility  of  deriving  G6  (mutual  under¬ 
standing  of  shared  key)  for  A.  However,  it  would  be 
possible  to  derive  G6  for  B  with  a  minimally  revised 
premise  set.  It  is  a  standard  part  of  BAN  idealization 
to  interpret  the  first  message  from  a  principal  employing 
appropriate  use  of  a  shared  encryption  key  as  including 
the  assertion  that  the  key  is  good  for  the  relevant  prin¬ 
cipals.  Thus,  we  might  add  a  premise  allowing  B  to 
interpret  receipt  of  {[*«,  Rb]K- 1  }k  as  implying  receipt 


of  {[*a,Rb,  A  -H-  B]k- i}K.  This  would  be  sufficient  to 
allow  the  derivation  of  G6  for  B.  But,  as  always  with 
such  interpretations,  we  must  be  very  careful.  (Recall 
the  earlier  discussion  regarding  problems  hidden  by  as¬ 
sumptions  in  the  idealization  of  NS.)  It  would  be  in¬ 
correct  to  so  interpret  the  message  from  B  to  A.  By 
the  end  of  a  successful  protocol  run  B  believes  he  has  a 
good  key  for  communication  with  A;  nonetheless,  until 
he  receives  the  last  message  he  has  no  guarantee  that 
it  is  A  with  whom  he  is  establishing  a  key.  He  has  re¬ 
ceived  nothing  from  A  when  he  sends  his  message  except 
a  cleartext  number  that  should  appear  random  to  him. 
(Presumably  he  also  has  an  indicator  of  who  sent  the 
number,  but  this  is  not  assumed  to  be  protected  in  any 
way.)  Thus,  it  would  be  wrong  for  A  to  interpret  B’ s 
message  as  including  an  assertion  from  him  that  B  A  A. 
This  could  only  be  reasonably  stated  by  B  in  a  further 
message,  subsequent  to  the  last  one  he  receives  in  this 
protocol. 

In  [Low96]  Lowe  constructs  an  “attack”  on  STS.  It  is  an 
attack  because  “A  believes  that  B  thought  that  he  ( B ) 
was  talking  to  A.”  (p.  165)  The  above  discussion  shows 
that  such  could  not  constitute  an  attack  on  STS  because 
this  was  never  a  goal  of  the  protocol,  nor  was  it  stated  to 
be  in  [DvOW92].  In  fact,  in  [v093b]  it  was  noted  that 
such  an  “eager  belief”  on  A’s  part  should  be  taken  as 
unverified  since  it  assumes  B’s  reception  and  processing 
of  the  third  message.  But,  in  the  Lowe  attack  on  STS, 
B  does  not  complete  the  protocol.  A  is  entitled  to  infer 
entity  authentication  of  B  (G2),  and  this  remains  true 
in  the  attack  Lowe  constructs.  But,  A  is  not  entitled 
to  conclude  that  she  has  mutual  understanding  with  B 
(G6)  or  anything  similar. 

5  Conclusions  and  Further  Study 

In  this  paper  we  have  presented  a  logic  that  encom¬ 
passes  four  of  its  predecessors  in  the  BAN  family.  We 
have  also  presented  a  model-theoretic  semantics  for  our 
logic  with  respect  to  which  it  is  sound.  Despite  adding 
expressiveness  and  axioms  sufficient  to  reason  about  all 
the  properties  of  cryptographic  protocols  to  which  these 
four  predecessors  are  addressed,  it  is  no  more  syntacti¬ 
cally  complex  than  any  of  them.  In  fact,  measured  by 
the  number  of  rules  or  axioms  and  their  relative  sim¬ 
plicity,  it  is  less  complex  than  GNY,  AT,  and  VO.  And, 
it  has  about  the  same  number  as  BAN.  In  sum,  we  be¬ 
lieve  this  logic  to  be  about  as  simple  to  use  as  any  of 
those  from  which  it  is  derived;  yet  it  is  more  expressive 
than  any  of  them.  Indeed,  our  analysis  of  the  Needham- 
Schroeder  protocol  compares  favorably  in  simplicity  to 
the  one  in  [BAN89].  It  also  uncovers  a  previously  un¬ 
noticed  feature  of  the  NS  protocol.  This  led  us  to  more 
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precisely  delimit  application  context  assumptions  and 
goals  for  the  protocol  than  did  either  the  original  [NS78] 
or  the  analysis  in  [BAN89]. 

We  have  also  analyzed  two  key  agreement  protocols. 
The  structure  of  these  is  rather  subtle  and  analysis 
commensurately  more  complex  than  for  simple  key  dis¬ 
tribution  protocols  of  the  type  analyzed  in  [BAN89]. 
Nonetheless,  we  used  the  logic  to  derive  a  number  of 
desirable  goals  for  the  protocols  analyzed.  And,  by  tak¬ 
ing  a  closer  look  at  the  assumptions  necessary  to  derive 
those  goals,  we  were  lead  to  find  an  attack  on  one  of 
them.  We  reiterate  that  one  of  the  virtues  of  formal 
protocol  analysis  is  that  it  forces  one  to  fully  set  out 
the  formal  assumptions  necessary  for  a  derivation.  And, 
one  of  the  virtues  of  a  model-theoretic  semantics  is  that 
it  presents  a  mathematically  rigorous  setting  in  which 
to  evaluate  the  truth  of  those  assumptions. 

We  have  not  looked  at  all  the  logics  that  have  been  de¬ 
rived  from  BAN,  e.g.,  [MB93].  (That  logic  is  a  contrac¬ 
tion  rather  than  an  expansion  of  BAN.  It  is  designed 
to  allow  much  that  is  informal  in  the  analysis  process 
to  be  automated.)  In  particular  we  have  not  discussed 
logics  that  express  either  time  or  message  ordering.  The 
goals  of  these  logics  are  somewhat  more  ambitious  than 
those  discussed  above.  One  of  those  goals  is  to  address 
more  types  of  replay  attacks.  BAN  is  only  directed  at 
classic  replays,  i.e. ,  replays  of  messages  originally  sent 
before  the  current  protocol  began.  GNY,  with  its  not- 
originated-here  syntax,  adds  the  ability  to  reason  about 
some  replay  attacks  using  messages  from  within  the  cur¬ 
rent  protocol  run  but  still  does  not  address  interleav¬ 
ing  attacks,  that  is  attacks  involving  replay  of  messages 
from  at  least  two  contemporaneous  protocol  runs.  (Cf. 
[BGH+92],  [DvOW92],  [Sne92],  [Car93].)  Indeed,  none 
of  the  logics  discussed  in  this  paper  generally  addresses 
interleavings  at  all.  (One  might,  nonetheless,  uncover 
an  interleaving  attack  by  coincidence  in  the  course  of 
analysis  using  one  of  these  logics.  The  point  is  that 
there  are  no  features  of  these  logics  that  address  such 
attacks.) 

Failure  of  methods  such  as  BAN  logic  to  address  inter¬ 
leaving  attacks  has  led  some  to  focus  on  the  notion  of 
current  protocol  run  rather  than  on  freshness.  However, 
this  still  leaves  some  types  of  replays  unaddressed  (e.g., 
the  first  attack  presented  in  [Syv93b]).  We  also  have 
not  explored  the  relationship  between  different  BAN- 
like  logics  that  reason  about  time  (e.g.,  [GS91])  or  the 
relationship  they  have  to  logics  that  allow  reasoning 
about  message  ordering  (e.g.,  [KG91]).  Our  suspicion 
is  that  the  logics  of  [GS91]  and  [KG91]  can  be  captured 
by  the  logic  of  this  paper  with  the  temporal  additions 
of  [Syv93a]. 


Finally,  we  have  not  looked  at  the  still  more  ambitious 
project  of  unifying  the  BAN  family  with  other  types  of 
logics.  Nonetheless,  we  have  produced  a  unified  BAN- 
like  logic  that  captures  the  features  of  four  other  BAN- 
like  logics.  We  have  approached  this  from  the  perspec¬ 
tive  of  having  an  integrated  model.  The  result  is  more 
than  a  collection  of  tools.  Indeed,  we  believe  it  to  be  a 
better  instance  of  all  the  tools  it  contains. 
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A  Relation  to  GNY  extensions 

In  [GNY90],  Gong,  Needham,  and  Yahalom  presented 
GNY.  This  logic  is  noteworthy  for  making  one  of  the 
largest  additions  to  both  the  notation  and  logical  rules 
of  BAN.  It  is  therefore  interesting  to  see  how  much  of 
it  is  easily  accomodated  in  SVO.  This  is  investigated  in 
this  appendix.  Similar  investigation  is  made  of  VO  in 
the  next  one. 

A.l  GNY  Notational  Additions 

P  <  X:  P  is  told  X.  This  is  expressed  in  our  syntax  as 
‘P  received  X\ 

P  3  X:  P  possesses,  or  is  capable  of  possessing  X.  This 
is  expressed  in  our  syntax  as  ‘P  sees  X’. 

P  ^  X:  P  once  conveyed  X.  This  is  expressed  in  SVO 
as  ‘P  said  X’. 

#(X):  X  is  fresh.  This  is  expressed  in  SVO  as 
‘fresh  (XV. 

<j>(X):  Recognizability  of  X.  In  GNY  rules  this  only 
occurs  in  the  context  of  someone’s  belief.  This  is  con¬ 
sistent  with  the  reasonable  requirement  that  recogniz¬ 
ability  be  tied  to  an  individual,  rather  than  considering 
what  is  recognizable  to  everyone.  We  will  express  this 
relativization  in  SVO  by  translating  expressions  of  the 
form  P  ^  <p( X)  in  GNY  as  P  believes  P  sees  X .  This 
is  relativization  is  discussed  below  when  we  look  at  GNY 
recognizability  rules. 

P  <  *X :  P  is  told  a  formula  that  he  did  not  convey 
previously  in  the  current  run.  This  is  captured  in  SVO 
as  ‘(P  received  X)  A  -> (P  says  X)\  Note  that  the  SVO 
expression  is  actually  broader  than  the  GNY  expression. 
It  says  that  P  did  not  say  X  since  the  start  of  the  current 
run,  whether  within  the  run  or  not. 

X  C:  These  are  called  message  extensions.  They  are 
used  in  conveyed  messages  to  indicate  conditionality  of 
an  assertion.  They  are  only  used  logically  in  connection 
with  GNY  J2,  one  of  the  jursdiction  rules.  We  defer 
comment  to  the  section  below  where  we  discuss  this  rule. 
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It  is  interesting  that  we  were  unable  to  give  translations 
for  some  of  the  GNY  formulae  without  referring  to  the 
corresponding  logical  rules.  This  is  because,  beyond  a 
minimal  intuitive  explanation,  any  technical  meaning 
that  GNY  expressions  hold  is  tied  up  with  the  logic. 

A. 2  GNY  Logical  Rules 

We  will  look  at  these  rules  with  the  following  question 
in  mind.  Once  we  have  made  an  appropriate  trans¬ 
lation  to  SVO  syntax,  is  there  a  logical  derivation  (in 
SVO)  of  the  conclusion  of  a  rule  from  its  premises?  If 
so,  then  the  rule  expresses  a  result  that  is  syntactically 
captured  in  SVO.  (Hence,  we  know  that  it  is  also  seman¬ 
tically  captured  by  our  model  of  computation  because  of 
soundness.)  When  we  say  that  a  GNY  rule  is  derivable 
in  SVO  below  we  mean  that  the  answer  to  the  question 
just  asked  is  yes. 

GNY  Rationality  Rule 

This  rule  says  that  whenever  we  can  infer  C2  from  Cl, 
we  can  also  infer  P  ^  C2  from  P  ^  Cl.  It  falls  out  of 
the  modus  ponens  rule  and  axiom  Axl. 

GNY  Being  Told  and  Possession  Rules 

All  of  these  rules  are  obviously  derivable  in  SVO  except 
T5.  T5  says  that  P  <  Y  follows  from  P  <  F(X,Y)  and 
P  3  X.  F  is  taken  to  be  a  many-to-one  computationally 
feasible  function  that  is  one-to-one  computationally  fea¬ 
sible  if  either  X  or  Y  is  held  constant,  as  is  its  inverse. 
([GNY90],  p.  235.)  It  is  difficult  to  assess  such  a  rule 
in  general,  but  Gong  et  al.  do  provide  one  example  of 
the  type  of  function  they  have  in  mind,  viz:  exclusive- 
or.  Our  discussion  of  T5  thus  follows  their  example. 
If  we  view  exclusive-or  as  encryption,  then  T5  can  be 
viewed  as  a  general  statement  of  T3,  which  says  that 
P<Y  follows  from  P<{I'}.v  and  P  3  X.  However,  care 
must  be  taken  in  such  cases  because,  when  exclusive-or 
is  used  for  encryption,  {  V } y  =  {V}.y-  Strictly  speak¬ 
ing,  in  our  language  this  is  only  true  when  both  X  and 
V  are  keys  since  {V}y  is  only  well-formed  when  V  is  a 
key.  Nonetheless,  according  to  T5  in  GNY,  if  P  receives 
Ar©Y  and  P  possesses  both  X  and  I',  then,  P  has  been 
told  X  and  been  told  V.  There  may  be  applications  for 
which  this  is  a  reasonable  inference,  but  the  example 
shows  why  we  might  not  want  to  have  T5  as  a  logical 
rule.  Often,  if  not  virtually  always,  we  would  like  to 
distinguish  a  message  sent  from  attendant  parameters, 
such  as  keys  used  to  encrypt  the  message.  However,  T5 
obliterates  this  distinction  by  treating  the  arguments 
of  F  symmetrically.  Furthermore,  such  symmetry  can 
serve  as  the  basis  of  attacks  that  allow  a  penetrator  to 
deduce  keys  from  chosen,  known,  or  guessed  plaintext — 
for  example,  the  Simmons  attack  on  the  TMN  protocol 
discussed  in  [TMN90],  This  example  does  not  serve  as 


a  similar  basis  for  criticism  of  T3.  The  symmetry  in  the 
encryption  algorithm  subjects  it  to  direct  attack.  This 
violates  the  general  assumption  of  all  logics  discussed 
herein  that  encryptions  are  not  breakable  by  direct  at¬ 
tack  (to  reveal  either  the  plaintext  or  the  key). 

GNY  Freshness  Rules 

All  of  these  rules  are  derivable  in  SVO  except  F5  and 
F6.  F5  says  that  a  principal’s  belief  in  the  freshness  of 
a  private  key  follows  from  his  belief  in  the  freshness  of 
its  public  cognate.  F6  expresses  the  converse  inference. 
There  is  no  reason  in  practice  to  question  these  rules; 
however,  there  is  also  no  harm  in  practice  in  leaving 
them  out  since  public  keys  are  usually  long  term  and 
not  distributed  on  line.  They  thus  do  not  generally  play 
a  role  in  freshness  considerations.  Fll  is  only  derivable 
in  SVO  assuming  R6,  which  will  be  discussed  shortly. 

GNY  Recognizability  Rules 

All  of  these  rules  are  derivable  in  SVO  except  R6.  This 
rule  says  that  P  ^  <j>( V)  follows  from  P  3  H(X).  But, 
from  the  mere  possession  of  H(X),  P  should  not  form 
any  beliefs  about  X;  without  X,  he  may  not  know  that 
he  is  seeing  H(X)  rather  than  some  other  message  or 
even  just  a  random  bitstring.  R6  as  given  in  GNY  is 
thus  too  strong,  although  perhaps  only  with  respect 
to  this  intuition.  If  we  replace  the  statement  that  P 
believes  X  is  recognizable  with  a  claim  that  X  is  rec¬ 
ognizable  by  P  we  get  a  more  reasonable  conclusion. 
However,  we  have  no  formal  means  to  directly  repre¬ 
sent  this  in  either  SVO  or  GNY.  SVO  does  have  the 
expressive  capability  to  indicate  that  a  principal  recog¬ 
nizes  a  given  bitstring  as  the  same  one  that  yielded  the 
hash  he  received  in  a  previous  message,  which  appears 
to  be  the  intended  effect  of  R6.  Recall  that  GNY  only 
expresses  recognizability  in  the  context  of  belief,  e.g., 
P  ^  (j>{X ),  and  this  is  the  GNY  formula  for  which  we 
have  provided  an  SVO  translation.  Indeed,  as  the  above 
discussion  shows,  our  treatment  allows  us  to  capture  the 
effects  of  GNY  recognizability  with  weaker  logical  rules. 

GNY  Message  Interpretation  Rules 

We  do  not  attempt  to  handle  all  of  these,  on  general 
grounds  of  logical  unwieldiness  and  inelegance.  We 
make  an  admittedly  arbitrary  division  by  addressing 
only  those  rules  containing  less  than  five  premises.  Once 
appropriate  translations  have  been  made,  these  are 
derivable  in  SVO  except  for  the  second  conclusion  of  14: 
p  n  q  b  m  -K-  We  saw  no  practical  value  of  such 
a  conclusion.  Should  this  be  incorrect,  Q  said  [V]A--i 
can  be  added  to  the  consequent  of  axiom  Ax4.  Similar 
addition  can  be  made  to  axiom  Ax3.  This  logic  remains 
sound  with  respect  to  the  semantics  given  in  §3.  As 
mentioned  earlier,  some  BAN  logics  assume  message  re¬ 
covery  from  signatures.  GNY  does  not  actually  even 
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explicitly  discuss  signatures.  14  and  15  are  meant  to  be 
used  with  public  key  encryption  schemes  such  as  RSA, 
where  {{A"}A'-i}a'  =  X.  In  claiming  that  we  can  cap¬ 
ture  the  reasoning  of  these  rules,  we  are  assuming  in 
our  translation  that  a  more  common  scheme  (for  which 
message  recovery  is  not  possible)  is  being  used  rather 
than  one  such  as  they  describe. 

GNY  Jurisdiction  Rules 

Like  AT,  SVO  separates  belief  from  everything  else,  in¬ 
cluding  trust.  This  is  useful  (and  perhaps  the  only  way 
one  is  likely  to  maintain  a  model-theoretic  semantics). 
The  only  jurisdiction  rule  (actually  axiom)  in  SVO  is 
the  same  as  in  AT,  viz:  P  controls  tp  A  P  says  tp  D  tp. 

GNY  J1  is  taken  directly  from  HA. Vs  jurisdiction  rule. 
BAN  also  has  only  one  rule  in  this  category.  Nonethe¬ 
less,  BAN’s  rule  is  not  derivable  from  the  above  nor 
valid  in  the  semantics.  This  is  no  great  loss  since  the 
only  iterated  beliefs  we  generally  care  about  are  derived 
from  things  that  one  principal  says  to  another.  In  other 
words,  the  above  axiom  captures  what  we  need  from 
Jl.  BAN  and  GNY  must  express  jurisdiction  in  terms 
of  belief  since  that  is  their  only  way  to  capture  a  prin¬ 
cipal’s  actions  in  the  current  epoch.  A  more  detailed 
discussion  of  this  is  given  in  [AT91],  §3.2. 

As  Gong  et  al.  say  (p.  240)  that  J3  is  just  a  special  case 
of  J2,  we  focus  on  J2. 

(From  P  |=  Q  Q  |=  *,  P  |=  Q  (X  C),  and 
P  ^  #V,  infer  P  ^  Q  ^  C .)  This  rule  introduces  new 
notation  not  discussed  elsewhere.  ‘P  ^  Q  |=>  Q  ^  *’ 
captures  the  idea  that  P  believes  Q  to  be  honest  ( Q  only 
says  what  he  believes)  and  competent  (Q  understands 
the  implications  of  what  he  says).  This  can  be  trans¬ 
lated  directly  to  the  following  SVO  syntax  expression: 
P  believes  ((( Q  says  X)  A  {X  D  C))  D  ( Q  believes  C )). 
The  second  premise  of  the  rule  can  also  be  translated 
directly  to  SVO:  P  believes  (( Q  said  X)  A  (X  D  C )). 
And,  the  third  premise  is  the  same  in  GNY  and  SVO, 
except  for  an  irrelevant  notational  difference.  Similarly, 
the  conclusion  of  the  rule  is  the  same  in  GNY  and  SVO. 
So,  the  rule  is  entirely  expressible  within  the  SVO  syn¬ 
tax.  Furthermore,  it  is  not  only  sound  but  an  easy  log¬ 
ical  derivation  in  SVO. 

B  Relation  to  VO  extensions 

The  first  paper  to  introduce  the  capability  to  reason 
about  key  agreement,  e.g.,  Diffie-Hellman  exchanges,  to 
a  BAN-like  logic  is  [v093b].  Some  of  the  notation  and 
rules  intoduced  therein  arise  naturally  in  such  protocols, 
but  they  are  also  applicable  to  shared  and  private  key 
protocols  as  discussed  in  the  above  papers. 


B.l  VO  Notational  Additions  and  Logical 
Rules 

A  A-)-  B :  I\  is  A’s  unconfirmed  secret  suitable  for 
B.  No  one  aside  from  .4  and  B  and  those  they  trust 
knows  or  could  deduce  K.  This  construct  emphasizes, 
however,  that  while  A  knows  K,  B  may  or  may  not. 
This  notation  arises  quite  naturally  when  looking  at 
key  agreement  protocols,  such  as  Diffie-Hellman  type 
key  distributions,  and  is  actually  easy  to  capture  in  our 
semantics.  Since  ‘A  &  TV  simply  means  that  K  is  a 
good  key  for  A  and  B  regardless  of  whether  either  of 
them  knows  this,  we  can  actually  define  A  AA  B  in 
the  SVO  syntax:  {A  B)  A  (.4  sees  K). 

.4  A^>  B:  I\  is  A’s  confirmed  secret  suitable  for  B.  A 
knows  K ,  and  has  received  evidence  confirming  that  B 
knows  K.  No  parties  other  than  A  and  B  and  those 
they  trust  know  or  can  feasibly  deduce  K.  This  is  a 
little  trickier  to  capture  in  our  semantics.  For  we  must 
decide  what  it  means  for  A  to  receive  confirmation  that 
B  knows  K.  Let  us  consider  a  typical  example  of  such 
confirmation  in  a  protocol.  Suppose  B  has  just  received 
the  session  key  K  and  wants  to  confirm  this  to  A.  If 
she  has  sent  him  a  nonce  Na  earlier  in  the  protocol  run, 
a  typical  way  for  B  to  send  confirmation  is  by  encrypt¬ 
ing  Na  (or  perhaps  Na  —  1)  with  K  and  his  own  name 
and  sending  this  to  A.  VO  reasons  about  the  key  con¬ 
firmation  B  sends  to  .4  in  this  example  by  introducing 
confirmation  axioms,  which  we  will  discuss  below  when 
we  come  to  the  confirm(K)  notation. 

How  would  this  key  confirmation  be  handled  using  ex¬ 
isting  constructs  in  SVO?  Consider  an  SVO  analysis  of 
a  key  distribution  protocol  where  the  above  confirma¬ 
tion  occurs.  The  standard  practice  in  [BAN89]  would 
be  to  idealize  this  in  the  protocol  analysis  by  B  sending 
to  A  {ATa,  (.4  -f-»  B),B}k •  In  other  words,  the  protocol 
idealization  of  B’ s  sending  such  a  message  incorporates 
B  saying  that  K  is  a  good  key  for  A  and  himself.  But, 
notation  of  the  form  A  f->  B  is  BAN’s  only  way  to  ex¬ 
press  statements  about  a  key.  Using  SVO  notation  we 
can  make  the  more  accurate  interpretation  of  this  mes¬ 
sage  as  {Na,(B  sees  K),B}k •  Thus  our  premise  set 
would  include  A  believes  ( A  received  {Na  —  1  ,B}k  D 
A  received  {( Na  —  1,  (B  sees  K),B}k).  Given  that  A 
has  the  necessary  beliefs  about  the  freshness  of  Na  and 
the  (unconfirmed)  goodness  of  K  we  can  derive  the  con¬ 
clusion  of  the  VO  key  confirmation  rule  (R32)  within 
SVO.  Thus,  if  we  translate  the  syntax  A  A4  B  as 
A  believes  {(A  AA  B )  A  (U  says  U  sees  K)),  where 
U  A,  reasoning  about  key  confirmation  can  be  cap¬ 
tured  entirely  within  S\T0.  (Translating  this  fully  back 
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to  the  SVO  syntax  we  get  A  believes  ((A  &  B  A 
A  sees  K)  A  ( U  says  (U  sees  A'))),  where  U  ^  A)10 

The  technique  of  the  last  paragraph  allows  us  to  capture 
key  confirmation  entirely  without  adding  explicit  con¬ 
firmation  syntax  to  SVO.  However,  there  is  a  hidden 
informal  assumption  in  such  an  approach.  We  can  only 
use  it  if  we  systematically  employ  meta-rules  for  premise 
formation.  Instead  of  explicitly  using  the  confirmation 
axioms  (C1-C3)  of  [v093b]  we  must,  in  effect,  always 
employ  those  axioms  in  premises  of  this  type  (i.e.,  re¬ 
ceiver’s  interpretation  premises).  On  the  other  hand,  if 
we  add  the  VO  notation  and  rules,  there  is  no  need  to 
give,  e.g.,  As  interpretation  of  receiving  {Na}K-  We 
thus  have  a  choice.  On  the  one  hand  is  a  more  stream¬ 
lined  logic  and  semantics  accompanied  by  more  assump¬ 
tions  about  message  interpretation,  while  on  the  other 
is  a  more  complex  logic  and  semantics  accompanied  by 
fewer  such  assumptions.  By  far  the  greatest  source  of 
confusion  and  misapplication  of  BAN  to  date  has  come 
from  slipping  dubious  assumptions  in  (or  leaving  neces¬ 
sary  assumptions  out)  during  protocol  idealization.  The 
more  formally  explicit  approach  is  thus  safer,  but  either 
can  be  rigorously  followed  to  the  same  practical  effect. 
In  the  next  paragraph  we  will  discuss  a  proposal  that 
combines  the  advantages  of  explicit  axioms  and  a  sim¬ 
pler  logic. 

confirm(K):  Current  knowledge  of  K  has  been  demon¬ 
strated.  We  have  been  discussing  the  relative  merits 
of  capturing  key  confirmation  via  axioms  and  via  di¬ 
rect  translation  to  the  syntax  of  SVO.  If  we  choose  to 
follow  the  latter  route,  then  1  confirm{K)’  becomes  ir¬ 
relevant  notation.  The  confirmation  axioms  make  use 
of  recognizability  in  the  sense  of  GNY.  Thus,  if  we 
wish  to  follow  the  former  route,  we  will  have  to  rela- 
tivize  1  confirm(K)’  in  just  the  way  that  we  relativized 
l4>{Xy  in  appendix  A.l.  For  convenience  in  the  fol¬ 
lowing  discussion  we  introduce  the  syntactic  shorthand 
4>p(X)  =  P  believes  P  sees  X.  (This  would  be  intu¬ 
itively  too  strong  if  0p(X)  were  understood  as  X  is 
recognizable  to  P.  The  intuitive  reading  in  what  fol¬ 
lows  might  better  be  rendered  as  P  recognizes  X,  for 
which  P  believes  P  sees  X  is  a  more  acceptable  approx¬ 
imation.  In  any  case,  the  following  discussion  will  ul¬ 
timately  obviate  this  notation.)  The  relativization  is 
thus  trivial  notationally.  For  example,  VO  axiom  C3 
becomes 

fi'esh(K)  A  <pp(H(K))  D  confirmP(K ) 

We  could  use  this  to  try  to  treat  confirmP(K )  as  a  de- 

10For  reasons  that  will  soon  become  apparent,  we  will  give  a 
revised  definition  of  ‘A  /A  B'  below. 


fined  term  following  the  axioms.  But  this  raises  some 
problems.  Suppose  we  introduce  the  following  definition 
(which  encompasses  Cl,  C2,  and  C3): 

(fresh(X)  A  <j>P({X}K))\/ 
confirmP{K)  =  (fresh(X)  A  </>p{MACk(X))\/ 
(fresh(K)  A  «,■(//(  AT» 

If  we  were  then  to  try  to  apply  this  in  VO  rule  R32, 
we  would  need  to  verify  that  A  received  *  confirm  A(K) . 
(Recall  that  VO  follows  GNY  in  using  V  to  indi¬ 
cate  that  a  message  orginated  elsewhere,  rather  than 
to  indicate  a  message  that  may  not  be  understood — 
as  in  SVO.)  Unpacking  the  syntactic  definition  this 
would  mean  that  A  received  *((fresh(X)  A  0p({X}x))V 
(fresh(X)  A  0P  (MAC K  (X))  V  (fresh(I<)  A  0P(H(K)))). 
But,  since  receiving  does  not  distribute  across  disjunc¬ 
tions,  this  would  never  actually  be  satisfied.  Actually 
this  problem  exists  for  R32  even  before  we  attempt 
to  give  a  definition:  it  is  clear  that  in  the  condition 
A  received  *confirmA(K J,  A  is  not  meant  to  see  a  state¬ 
ment  regarding  freshness.  Rather  she  is  supposed  to  see 
a  statement  that  contains  a  fresh  component.  In  addi¬ 
tion  there  is  the  open  endedness  of  the  axiom  list.  These 
axioms  were  meant  to  capture  three  common  ways  of  es¬ 
tablishing  key  confirmation  in  practice,  but  others  are 
possible.  A  fourth  would  simply  involve  sending  the 
key  K  itself  in  a  message;  the  message  would  have  to 
be  fresh  somehow  itself  if  the  key  K  was  not  known  to 
be  fresh.  (Note  that  in  Diffie-Hellman  key  agreement, 
it  is.)  So,  another  axiom  would  be 

C4.  0P(K)  A  fresh(K)  D  confirmP(K ) 

These  and  similar  possibilities  can  all  be  represented  in 
SVO  by  a  single  syntactic  definition: 

confirmP(K)  = 

((P  received  F(X,K)  A  0P(F(X,  K))  A 
{fresh(X)  V  fresh(K ))) 

Here  F  is  a  feasibly  computable  function,  that  is  ef¬ 
fectively  one-one.  This  means  it  is  infeasible  to  find 
any  two  pairs  {X,  K)  mapping  to  the  same  value.  F 
is  required  to  be  one-way  (in  the  sense  that  encryp¬ 
tions,  MACs,  and  cryptographic  hash  functions  would 
be)  if  and  only  if  it  is  important  that  K  not  be  re¬ 
vealed  by  the  confirmation  process  itself.11  This  also 

11In  confirming  knowledge  of  I\,  the  intention  is  that  the  key  K 
itself  is  not  revealed.  However,  in  terms  of  formal  definition,  this 
is  irrelevant — what  is  of  import  is  confirmation  only.  If  a  key  K 
is  somehow  compromised,  whether  in  relation  to  key  confirmation 
or  otherwise,  this  may  violate  an  assumption  about  key  quality, 
but  that  should  be  treated  distinctly  from  key  confirmation. 
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allows  a  more  general  definition  of  (data)  confirmation 
(rather  than  key  confirmation).  Restricting  confirma¬ 
tion  to  keys  seems  unnecessary,  and  it  should  not  be  a 
general  constraint  that  data  are  not  revealed  through 
the  confirmation  process.  Ways  of  confirming  knowl¬ 
edge  of  information  without  revealing  the  information 
itself  is  the  subject  of  a  large  area  of  research,  namely 
zero-knowledge;  this  subject  is  beyond  the  scope  of  the 
present  work.  Note  A"  can  be  null,  and  F  could  be 
the  identity  function,  as  in  C4,  the  above  axiom.  We 
have  incorporated  ‘ P  received  F(X,K)’  into  the  defini¬ 
tion  because  confirmation  is  only  relevant  if  someone 
receives  it.  Bringing  this  into  the  axiom  itself  avoids 
the  problem  of  distributing  received  raised  above.  We 
can  provide  a  similar  definition  to  indicate  that  P  has 
received  confirmation  from  someone  other  than  herself: 

*confirmP(K)  = 

(P  believes  P  received  F(X,  K ))  A 

-i (P  said  F(X,K ))  A  (fresh(X)  V  fresh(K)) 

The  definition  just  introduced  has  a  number  of  ad¬ 
vantages.  It  makes  confirmation  criteria  explicit  but 
constitutes  no  addition  to  SVO  since  it  is  eliminable, 
i.e. ,  it  can  always  be  replaced  by  the  longer  expression 
that  is  purely  in  the  language  of  SVO.  (We  have  al¬ 
ready  dropped  in  this  definition  the  notational  short¬ 
hand  of  ( pp{F(X,K )).)  As  just  indicated,  its  applica¬ 
tion  goes  beyond  the  current  context.  It  still  requires 
that  informal  work  be  done,  but  the  interpretation  of 
protocol  messages  is  as  direct  as  it  would  be  were  we 
to  use  the  axioms  from  [v093b].  (As  in  our  exam¬ 
ple  of  returning  an  encrypted  nonce  above,  A’s  receipt 
of  {Na  —  1,B}k  need  not  be  interpreted  as  receipt  of 
{Na  —  1,  ( B  sees  K),B}k •)  The  informal  step  is  in  de¬ 
termining  whether  or  not  this  constitutes  a  function 
and  functional  arguments  as  stipulated  in  the  axiom. 
But,  this  question  is  not  subject  to  the  same  difficulties 
as  when  determining  the  intended  meaning  of  a  mes¬ 
sage.  Here  we  need  only  make  a  determination  based 
on  mathematically  rigorous  criteria — up  to  the  limits  of 
the  usual  cryptographic  assumptions  made  in  protocol 
analysis. 

Given  the  considerations  of  the  last  several  paragraphs, 
we  revise  our  definition  of  ‘A  A^>-  B’. 

A  A^>  B  =  ((A  believes  A  A-t  B)  A  *  confirm  A(K)) 

We  now  turn  to  notation  for  reasoning  about  public 
and  private  keys.  The  BAN  notation  to  represent  that 
I\  is  A’s  public  key  is  ‘h->  A’.  It  is  simply  assumed 
in  BAN  that  the  corresponding  private  key  is  kept  se¬ 
cret.  Notation  for  the  private  key,  is  only  used 

to  indicate  encryption  using  the  key,  e.g.,  {A}a-i.  A’s 


posession  of  K  1  is  meant  to  be  implicitly  inferred  from 
A  believes  A  A.  GNY  introduces  syntax  for  explic¬ 
itly  representing  and  reasoning  about  possession  of  pri¬ 
vate  keys.  Nonetheless,  goodness  of  a  private  key  is  still 
meant  to  be  inferred  from  a  statement  about  the  public 
key  as  in  BAN,  i.e.,  from  A  A.  In  [GS91],  Gaarder  and 
Snekkenes  separate  statements  representing  that  A  has 
associated  a  good  public  key  K,  viz:  PK(A,A'),  from 
those  representing  that  A  has  associated  some  good  pri¬ 
vate  key,  viz:  n(A).  Thus  the  judgement  about  the 
quality  of  the  private  key  is  now  associated  with  a  state¬ 
ment  about  the  private  key,  rather  than  being  implied 
by  a  statement  about  the  public  key.  In  effect,  this  sep¬ 
arates  statements  about  the  binding  of  a  public  key  to 
a  principal  from  statements  about  the  quality  of  a  prin¬ 
cipal’s  private  key.  Gaarder  and  Snekkenes  separated 
these  to  reason  about  certificates  binding  a  principal 
to  a  public  key  in  the  X.509  protocol  separately  from 
evaluating  trust  that  the  corresponding  private  key  is 
kept  secret.  VO  follows  the  developments  of  Gaarder 
and  Snekkenes  and  also  introduces  distinct  notation  for 
public  keys  for  signing,  enciphering,  and  key  agreement. 

PKct  {A,K):  K  is  the  public  signature  verification  key 
associated  with  principal  A. 

PK~1(A):  A’s  private  signature  key  A'-1  is  good.  Here 
A'-1  corresponds  to  the  public  key  K  in  PKCT(A,  A').12 

Analogous  definitions  are  made  for  enciphering 
(PK^,(A,  A'),  PKjjAA)  and  key  agreement 
(PK<s(A,A')3  PI<A(A)).  Unfortunately  in  the  seman¬ 
tics  of  §3  we  were  unable  to  give  truth  conditions  for 
all  of  these  individually.  We  have  reverted  to  grouping 
the  binding  of  a  public  key  together  with  the  quality 
(secrecy)  of  the  private  key.  We  thus  use  ‘PI<(A,  A')’  to 
mean  both  that  K  is  the  public  key  associated  with  prin¬ 
cipal  A  and  that  the  corresponding  private  key,  A'-1, 
is  good.  If  this  is  a  loss,  it  is  logically  speaking  a  mi¬ 
nor  one.  There  are  good  reasons  for  separating  the  two 
notions.  For,  there  are  two  distinct  kinds  of  protocol 
failures  here.  On  the  one  hand,  the  secrecy  of  a  pri¬ 
vate  key  might  be  compromised.  On  the  other  hand, 
a  principal  A  might  be  tricked  into  thinking  that  the 
wrong  public  key  is  bound  to  principal  B.  The  distinc¬ 
tion  introduced  by  Gaarder  and  Snekkenes  allows  us  to 
differentiate  these  failures.  Nonetheless,  the  only  logical 
use  of  the  corresponding  expressions  occurs  in  their  rule 
R13,  where  both  proper  binding  and  good  private  keys 

12 We  are  following  convention  here  by  using  ‘it'-1’  to  refer  to 
a  private  signature  key.  Some  schemes  such  as  RSA  can  be  used 
for  both  enciphering  and  signatures  because  of  invertibility.  This 
makes  the  notational  choice  quite  natural.  However,  some  signa¬ 
ture  schemes  are  not  invertible,  and  for  those  schemes  the  notation 
is  slightly  deceptive. 
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are  premises  of  the  rule.  (Actually,  what  is  required  is 
belief  therein,  but  this  is  aside.)  This  is  similarly  true 
for  VO’s  rules.  Thus,  since  both  good  public  binding 
and  good  private  keys  are  required  for  any  logical  use 
of  these  notions,  it  is  sufficient  to  have  notation  that 
captures  them  together.  (Nevertheless,  we  acknowledge 
that  it  would  be  nice  to  have  the  requirements  syntacti¬ 
cally  separated  for  a  more  direct  reflection  of  the  nature 
of  potential  failures.) 

Aside  from  the  key  confirmation  axioms  already  dis¬ 
cussed,  VO  introduces  three  new  logical  rules.  (These 
are  presented  in  appendix  E.)  They  are  all  derivable  in 
SVO,  with  the  translations  discussed  above. 

C  GNY  Rules 

We  present  these  GNY  rules  without  any  explanation 
of  the  rules  or  notation  therein.  Readers  are  referred  to 
[GNY90]  for  details. 

C.l  Rationality  Rule 

Cl 

If  —  is  a  rule,  then  for  any  principal  P ,  so  is 
O  Z 

P  |=  Cl 
P  |=  C2  ' 

Being- Told  Rules 

P  <  *X 
P<  X 
P<(X,Y ) 

P  <  X 

P  <  {V}A-,  P  3  I< 

P<X 

P<{X}+K,  P3-K 
P<X 

P<F(X,Y ),  P  3  X 
P<Y 

P  <  {X}-K,  P  3  +I< 

P<X 

Possession  Rules 

P  <  X 
P  3  X 

P  3  X,  P  3  Y 
P  3  (AM'),  P  3  F(X,Y) 

P3  (XV) 

P  3  X 
P  3  X 
P  3  H(X) 

P  3  F(X,Y),  P  3  X 
P  3  Y 


C.2 

T1 

T2 

T3 

T4 

T5 

T6 

C.3 

PI 

P2 

P3 

P4 

P5 


P6 

P7 

P8 


P  3  K,  P  3  X 
P  3  {X}K,  P  3  {X}^ 
P  3  +K,  P  3  X 
P  3  {X}+k 
P  3  —K,  P  3  X 
P  3  {V}_A 


C.4  Freshness  Rules 


FI 

F2 

F3 

F4 

F5 

F6 

F7 

F8 

F9 


P  N  #(-Y) 

P  |=  #(X,Y),  P  |=  #F(X) 

P  |=  #(V),  P  3  K 
P  £  #({X}k),  P  N  #({-Uk) 

P  N  #(-U,  P  3  +K 
P  |=  #({X}+k) 

P  |=  #(V),  P  3  —K 
P  |=  #({X}-k) 

P  N  #(+g) 
p  n  n-K) 
p  N  n-K) 

P  N  #(+K) 

P£  0(X),  P£  #(iv),  P3I< 

P  £  #({X}k),  P  N  #({#}*) 
p  N  0(X),  P  N  m+K),  P  3  +I< 
P  |=  #({X}+k) 

P  |=  0(X),  P  \=  #(-K),  P  3  —K 
P  |=  #({X}-k) 


P  \=  #(V),  P  3  X 
P  |=  #(H(X)) 


Fll 


p  N  #(H(X)),  P  3  H(X) 
P  \=  #(X) 


C.5  Recognizability  Rules 


R1 

R2 

R3 

R4 

R5 

R6 


p  n  m 

P  \=  "(  V.  V :  .  P  |=  0(F(X)) 

P  £  0(X),  P  3  I\ 

p  \=  <p({x}K),  p  \=  tax}-1) 

P  |=  </>(X),  P  3  +K 
P  £  4>({X}+k) 
p  N  4>(X),  P3-K 
p  1=  4>{{x}-k) 

P  ^  0(X),  P  3  X 

p  n  <t>mx)) 

P  3  H(X) 

P  N  <KX) 
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C.6  Message  Interpretation  Rules 

We  present  only  14,  16,  and  17. 

M  P<{X}-K ,  P3+K,  P|=tf  Q,  4>)X) 
P£  Oh  X,  P  |=  Q  fr  {A}_* 

T  PMh  V  p  N  #(A) 

PM3  A 
p  |=  Q  b  (AM') 

p  N  0  b  a 


C.7  Jurisdiction  Rules 


P^Q(=><7,  P^Q^C 
P  ^  (7 


■J2 

p  ^  q  K  Q  N  *,  p  N  Q  b  (a  c),  p  |=  #(A) 


PN  0  N  c 


J3 


p  1=  Q  |=>  Q  N  *,  P  N  Q  N  Q  N  c 

P\b  Q\b  C 


D  AT  Rules  and  Axioms 

We  present  these  AT  rules  and  axioms  without  expla¬ 
nation.  Readers  are  referred  to  [AT91]  for  details. 

There  are  two  rules: 


A7.  P  sees  (Xi , . . . ,  .V  „ )  D  P  sees  .Y, 

A8.  P  sees  {X®}k  A  P  has  K  D  P  sees  X 

A9.  P  sees  (X®)s  D  P  sees  A" 

A10.  P  sees  AY’  D  P  sees  A" 

All.  P  sees  {.A 7}  /\  p  has  jp  p, 

P  believes  (P  sees  {X ®}k) 

Saying 

A12.  P  said  (Ad, . . .  ,  An)  A  P  said  Ad 

A13.  P  said  (A«)s  D  P  said  A 

A14.  P  sees  AY’  A  ->P  sees  A"  D  P  said  A 

If  ‘  says  ’  is  substituted  for  1  said  ’  throughout  in  A12, 
A13,  or  A14,  the  result  is  also  an  axiom. 

Jurisdiction 

A15.  P  controls  p  A  P  say  sip  D  p 

Freshness 


Rl.  Modus  Ponens:  From  b  ip  and  P  p  D  if  infer  b  if. 
R2.  Necessitation:  From  b  p  infer  b  P  believes  p. 

Axioms  are  all  instances  of  tautologies  of  classical 
propositional  calculus,  and  all  instances  of  the  follow¬ 
ing  axiom  schemata: 

Believing 

For  any  principal  P  and  formulae  p  and  Sf>, 

Al.  P  believes  p  A  P  believes  (p  D  ip)  D  P  believes  if) 

A2.  P  believes  p  D  P  believes  (P  believes  p) 

A3.  -i (P  believes  p)  D  P  believes  (->(P  believes  p)) 

Message  Meaning 

If  P  ^  5,  then 

A5.  PpQ  A  J?  sees  {  A,s}  A  D  Q  said  A 
A6.  P  ^  Q  A  R  sees  (Xs)y  D  Q  said  X 

Seeing 


A16.  fresh(Xj)  D  fresh)  X1 ,  A„) 

A17.  fresh) X)  D  fresh){X}x ) 

A18.  fresh) X)  D  fresh)(X)s) 

A19.  fresh) X)  D  fresh)lX') 

Nonce- Verification 

A20.  fresh) A)  A  P  said  X  D  P  says  X 

Shared  Keys  and  Secrets 
A21.  P  &  P'  =  R'  &  R 

K  K 

A22.  R  #  P'  =  R'  #  P 

E  VO  Rules 

We  present  the  three  rules  introduced  in  [v093b]  (in  the 
original  notation). 

OQn  A  has  PKjfrA),  A  has  PI< S)U) 

KoU  - * — 1 - 7Y - 

A  has  K 

where  I<  =  f)PKJ1)A),PKs)U)). 
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R31 


.4  |=  PI< ^(,4),  .4  ^  PKg(-B),  .4  |=  PI< j\B) 

a\^  a£^b 


where  K  =  /(PK^A),  PKS(B))> 


A  ^  A  B ,  A  sees  *confirm(K ) 


R32 
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